xref: /illumos-gate/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_encode.c (revision ba7b222e)

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
/*
 * src/lib/krb5/asn.1/asn1_k_encode.c
 *
 * Copyright 1994, 2008 by the Massachusetts Institute of Technology.
 * All Rights Reserved.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 */

#include "asn1_k_encode.h"
#include "asn1_make.h"
#include "asn1_encode.h"
#include <assert.h>
#include "k5-platform-store_32.h" /* Solaris Kerberos */

/* helper macros

   These are mostly only needed for PKINIT, but there are three
   basic-krb5 encoders not converted yet.  */

/* setup() -- create and initialize bookkeeping variables
     retval: stores error codes returned from subroutines
     length: length of the most-recently produced encoding
     sum: cumulative length of the entire encoding */
#define asn1_setup()\
  asn1_error_code retval;\
  unsigned int sum=0

/* form a sequence (by adding a sequence header to the current encoding) */
#define asn1_makeseq()\
{ unsigned int length;\
  retval = asn1_make_sequence(buf,sum,&length);\
  if (retval) {\
    return retval; }\
  sum += length; }

/* produce the final output and clean up the workspace */
#define asn1_cleanup()\
  *retlen = sum;\
  return 0

/* asn1_addfield -- add a field, or component, to the encoding */
#define asn1_addfield(value,tag,encoder)\
{ unsigned int length; \
  retval = encoder(buf,value,&length);  \
  if (retval) {\
    return retval; }\
  sum += length;\
  retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
  if (retval) {\
    return retval; }\
  sum += length; }

DEFINTTYPE(int32, krb5_int32);
DEFPTRTYPE(int32_ptr, int32);

DEFUINTTYPE(uint, unsigned int);
DEFUINTTYPE(octet, krb5_octet);
DEFUINTTYPE(ui_4, krb5_ui_4);

DEFFNLENTYPE(octetstring, unsigned char *, asn1_encode_octetstring);
DEFFNLENTYPE(s_octetstring, char *, asn1_encode_octetstring);
DEFFNLENTYPE(charstring, char *, asn1_encode_charstring);
DEFFNLENTYPE(generalstring, char *, asn1_encode_generalstring);
DEFFNLENTYPE(u_generalstring, unsigned char *, asn1_encode_generalstring);
DEFFNLENTYPE(opaque, char *, asn1_encode_opaque);

DEFFIELDTYPE(gstring_data, krb5_data,
             FIELDOF_STRING(krb5_data, generalstring, data, length, -1));
DEFPTRTYPE(gstring_data_ptr,gstring_data);

DEFFIELDTYPE(ostring_data, krb5_data,
             FIELDOF_STRING(krb5_data, s_octetstring, data, length, -1));
DEFPTRTYPE(ostring_data_ptr,ostring_data);

DEFFIELDTYPE(opaque_data, krb5_data,
             FIELDOF_STRING(krb5_data, opaque, data, length, -1));

DEFFIELDTYPE(realm_of_principal_data, krb5_principal_data,
             FIELDOF_NORM(krb5_principal_data, gstring_data, realm, -1));
DEFPTRTYPE(realm_of_principal, realm_of_principal_data);


static const struct field_info princname_fields[] = {
    FIELDOF_NORM(krb5_principal_data, int32, type, 0),
    FIELDOF_SEQOF_INT32(krb5_principal_data, gstring_data_ptr, data, length, 1),
};
/* krb5_principal is a typedef for krb5_principal_data*, so this is
   effectively "encode_principal_data_at" with an address arg.  */
DEFSEQTYPE(principal_data, krb5_principal_data, princname_fields, 0);
DEFPTRTYPE(principal, principal_data);

static asn1_error_code
asn1_encode_kerberos_time_at(asn1buf *buf, const krb5_timestamp *val,
                             unsigned int *retlen)
{
    /* Range checking for time_t vs krb5_timestamp?  */
    time_t tval = *val;
    return asn1_encode_generaltime(buf, tval, retlen);
}
DEFFNXTYPE(kerberos_time, krb5_timestamp, asn1_encode_kerberos_time_at);

static const struct field_info address_fields[] = {
    FIELDOF_NORM(krb5_address, int32, addrtype, 0),
    FIELDOF_STRING(krb5_address, octetstring, contents, length, 1),
};
DEFSEQTYPE(address, krb5_address, address_fields, 0);
DEFPTRTYPE(address_ptr, address);

DEFNULLTERMSEQOFTYPE(seq_of_host_addresses, address_ptr);
DEFPTRTYPE(ptr_seqof_host_addresses, seq_of_host_addresses);

static unsigned int
optional_encrypted_data (const void *vptr)
{
    const krb5_enc_data *val = vptr;
    unsigned int optional = 0;

    if (val->kvno != 0)
        optional |= (1u << 1);

    return optional;
}

static const struct field_info encrypted_data_fields[] = {
    FIELDOF_NORM(krb5_enc_data, int32, enctype, 0),
    FIELDOF_OPT(krb5_enc_data, uint, kvno, 1, 1),
    FIELDOF_NORM(krb5_enc_data, ostring_data, ciphertext, 2),
};
DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields,
           optional_encrypted_data);

/* The encode_bitstring function wants an array of bytes (since PKINIT
   may provide something that isn't 32 bits), but krb5_flags is stored
   as a 32-bit integer in host order.  */
static asn1_error_code
asn1_encode_krb5_flags_at(asn1buf *buf, const krb5_flags *val,
                          unsigned int *retlen)
{
    unsigned char cbuf[4];
    store_32_be((krb5_ui_4) *val, cbuf);
    return asn1_encode_bitstring(buf, 4, cbuf, retlen);
}
DEFFNXTYPE(krb5_flags, krb5_flags, asn1_encode_krb5_flags_at);

static const struct field_info authdata_elt_fields[] = {
    /* ad-type[0]               INTEGER */
    FIELDOF_NORM(krb5_authdata, int32, ad_type, 0),
    /* ad-data[1]               OCTET STRING */
    FIELDOF_STRING(krb5_authdata, octetstring, contents, length, 1),
};
DEFSEQTYPE(authdata_elt, krb5_authdata, authdata_elt_fields, 0);
DEFPTRTYPE(authdata_elt_ptr, authdata_elt);
DEFNONEMPTYNULLTERMSEQOFTYPE(auth_data, authdata_elt_ptr);
DEFPTRTYPE(auth_data_ptr, auth_data);

static const struct field_info encryption_key_fields[] = {
    FIELDOF_NORM(krb5_keyblock, int32, enctype, 0),
    FIELDOF_STRING(krb5_keyblock, octetstring, contents, length, 1),
};
DEFSEQTYPE(encryption_key, krb5_keyblock, encryption_key_fields, 0);
DEFPTRTYPE(ptr_encryption_key, encryption_key);

static const struct field_info checksum_fields[] = {
    FIELDOF_NORM(krb5_checksum, int32, checksum_type, 0),
    FIELDOF_STRING(krb5_checksum, octetstring, contents, length, 1),
};
DEFSEQTYPE(checksum, krb5_checksum, checksum_fields, 0);
DEFPTRTYPE(checksum_ptr, checksum);
DEFNULLTERMSEQOFTYPE(seq_of_checksum, checksum_ptr);
DEFPTRTYPE(ptr_seqof_checksum, seq_of_checksum);

static const struct field_info lr_fields[] = {
    FIELDOF_NORM(krb5_last_req_entry, int32, lr_type, 0),
    FIELDOF_NORM(krb5_last_req_entry, kerberos_time, value, 1),
};
DEFSEQTYPE(last_req_ent, krb5_last_req_entry, lr_fields, 0);

DEFPTRTYPE(last_req_ent_ptr, last_req_ent);
DEFNONEMPTYNULLTERMSEQOFTYPE(last_req, last_req_ent_ptr);
DEFPTRTYPE(last_req_ptr, last_req);

static const struct field_info ticket_fields[] = {
    FIELD_INT_IMM(KVNO, 0),
    FIELDOF_NORM(krb5_ticket, realm_of_principal, server, 1),
    FIELDOF_NORM(krb5_ticket, principal, server, 2),
    FIELDOF_NORM(krb5_ticket, encrypted_data, enc_part, 3),
};
DEFSEQTYPE(untagged_ticket, krb5_ticket, ticket_fields, 0);
DEFAPPTAGGEDTYPE(ticket, 1, untagged_ticket);

static const struct field_info pa_data_fields[] = {
    FIELDOF_NORM(krb5_pa_data, int32, pa_type, 1),
    FIELDOF_STRING(krb5_pa_data, octetstring, contents, length, 2),
};
DEFSEQTYPE(pa_data, krb5_pa_data, pa_data_fields, 0);
DEFPTRTYPE(pa_data_ptr, pa_data);

DEFNULLTERMSEQOFTYPE(seq_of_pa_data, pa_data_ptr);
DEFPTRTYPE(ptr_seqof_pa_data, seq_of_pa_data);

DEFPTRTYPE(ticket_ptr, ticket);
DEFNONEMPTYNULLTERMSEQOFTYPE(seq_of_ticket,ticket_ptr);
DEFPTRTYPE(ptr_seqof_ticket, seq_of_ticket);

/* EncKDCRepPart ::= SEQUENCE */
static const struct field_info enc_kdc_rep_part_fields[] = {
    /* key[0]           EncryptionKey */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, ptr_encryption_key, session, 0),
    /* last-req[1]      LastReq */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, last_req_ptr, last_req, 1),
    /* nonce[2]         INTEGER */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, int32, nonce, 2),
    /* key-expiration[3]        KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, key_exp, 3, 3),
    /* flags[4]         TicketFlags */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, krb5_flags, flags, 4),
    /* authtime[5]      KerberosTime */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, kerberos_time, times.authtime, 5),
    /* starttime[6]     KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, times.starttime, 6, 6),
    /* endtime[7]               KerberosTime */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, kerberos_time, times.endtime, 7),
    /* renew-till[8]    KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_enc_kdc_rep_part, kerberos_time, times.renew_till, 8, 8),
    /* srealm[9]                Realm */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, realm_of_principal, server, 9),
    /* sname[10]                PrincipalName */
    FIELDOF_NORM(krb5_enc_kdc_rep_part, principal, server, 10),
    /* caddr[11]                HostAddresses OPTIONAL */
    FIELDOF_OPT(krb5_enc_kdc_rep_part, ptr_seqof_host_addresses, caddrs,
                11, 11),
    /* encrypted-pa-data[12]    SEQUENCE OF PA-DATA OPTIONAL */
    FIELDOF_OPT(krb5_enc_kdc_rep_part, ptr_seqof_pa_data, enc_padata, 12, 12),
};
static unsigned int optional_enc_kdc_rep_part(const void *p)
{
    const krb5_enc_kdc_rep_part *val = p;
    unsigned int optional = 0;

    if (val->key_exp)
        optional |= (1u << 3);
    if (val->times.starttime)
        optional |= (1u << 6);
    if (val->flags & TKT_FLG_RENEWABLE)
        optional |= (1u << 8);
    if (val->caddrs != NULL && val->caddrs[0] != NULL)
        optional |= (1u << 11);

    return optional;
}
DEFSEQTYPE(enc_kdc_rep_part, krb5_enc_kdc_rep_part, enc_kdc_rep_part_fields,
           optional_enc_kdc_rep_part);

/* Yuck!  Eventually push this *up* above the encoder API and make the
   rest of the library put the realm name in one consistent place.  At
   the same time, might as well add the msg-type field and encode both
   AS-REQ and TGS-REQ through the same descriptor.  */
struct kdc_req_hack {
    krb5_kdc_req v;
    krb5_data *server_realm;
};
static const struct field_info kdc_req_hack_fields[] = {
    FIELDOF_NORM(struct kdc_req_hack, krb5_flags, v.kdc_options, 0),
    FIELDOF_OPT(struct kdc_req_hack, principal, v.client, 1, 1),
    FIELDOF_NORM(struct kdc_req_hack, gstring_data_ptr, server_realm, 2),
    FIELDOF_OPT(struct kdc_req_hack, principal, v.server, 3, 3),
    FIELDOF_OPT(struct kdc_req_hack, kerberos_time, v.from, 4, 4),
    FIELDOF_NORM(struct kdc_req_hack, kerberos_time, v.till, 5),
    FIELDOF_OPT(struct kdc_req_hack, kerberos_time, v.rtime, 6, 6),
    FIELDOF_NORM(struct kdc_req_hack, int32, v.nonce, 7),
    FIELDOF_SEQOF_INT32(struct kdc_req_hack, int32_ptr, v.ktype, v.nktypes, 8),
    FIELDOF_OPT(struct kdc_req_hack, ptr_seqof_host_addresses, v.addresses, 9, 9),
    FIELDOF_OPT(struct kdc_req_hack, encrypted_data, v.authorization_data, 10, 10),
    FIELDOF_OPT(struct kdc_req_hack, ptr_seqof_ticket, v.second_ticket, 11, 11),
};
static unsigned int optional_kdc_req_hack(const void *p)
{
    const struct kdc_req_hack *val2 = p;
    const krb5_kdc_req *val = &val2->v;
    unsigned int optional = 0;

    if (val->second_ticket != NULL && val->second_ticket[0] != NULL)
        optional |= (1u << 11);
    if (val->authorization_data.ciphertext.data != NULL)
        optional |= (1u << 10);
    if (val->addresses != NULL && val->addresses[0] != NULL)
        optional |= (1u << 9);
    if (val->rtime)
        optional |= (1u << 6);
    if (val->from)
        optional |= (1u << 4);
    if (val->server != NULL)
        optional |= (1u << 3);
    if (val->client != NULL)
        optional |= (1u << 1);

    return optional;
}
DEFSEQTYPE(kdc_req_body_hack, struct kdc_req_hack, kdc_req_hack_fields,
           optional_kdc_req_hack);
static asn1_error_code
asn1_encode_kdc_req_hack(asn1buf *, const struct kdc_req_hack *,
                         unsigned int *);
MAKE_ENCFN(asn1_encode_kdc_req_hack, kdc_req_body_hack);
static asn1_error_code
asn1_encode_kdc_req_body(asn1buf *buf, const krb5_kdc_req *val,
                         unsigned int *retlen)
{
    struct kdc_req_hack val2;
    val2.v = *val;
    if (val->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
        if (val->second_ticket != NULL && val->second_ticket[0] != NULL) {
            val2.server_realm = &val->second_ticket[0]->server->realm;
        } else return ASN1_MISSING_FIELD;
    } else if (val->server != NULL) {
        val2.server_realm = &val->server->realm;
    } else return ASN1_MISSING_FIELD;
    return asn1_encode_kdc_req_hack(buf, &val2, retlen);
}
DEFFNXTYPE(kdc_req_body, krb5_kdc_req, asn1_encode_kdc_req_body);
/* end ugly hack */

DEFPTRTYPE(ptr_kdc_req_body,kdc_req_body);

static const struct field_info transited_fields[] = {
    FIELDOF_NORM(krb5_transited, octet, tr_type, 0),
    FIELDOF_NORM(krb5_transited, ostring_data, tr_contents, 1),
};
DEFSEQTYPE(transited, krb5_transited, transited_fields, 0);

static const struct field_info krb_safe_body_fields[] = {
    FIELDOF_NORM(krb5_safe, ostring_data, user_data, 0),
    FIELDOF_OPT(krb5_safe, kerberos_time, timestamp, 1, 1),
    FIELDOF_OPT(krb5_safe, int32, usec, 2, 2),
    FIELDOF_OPT(krb5_safe, uint, seq_number, 3, 3),
    FIELDOF_NORM(krb5_safe, address_ptr, s_address, 4),
    FIELDOF_OPT(krb5_safe, address_ptr, r_address, 5, 5),
};
static unsigned int optional_krb_safe_body(const void *p)
{
    const krb5_safe *val = p;
    unsigned int optional = 0;

    if (val->timestamp) {
        optional |= (1u << 1);
        optional |= (1u << 2);
    }
    if (val->seq_number)
        optional |= (1u << 3);
    if (val->r_address != NULL)
        optional |= (1u << 5);

    return optional;
}
DEFSEQTYPE(krb_safe_body, krb5_safe, krb_safe_body_fields,
           optional_krb_safe_body);

static const struct field_info krb_cred_info_fields[] = {
    FIELDOF_NORM(krb5_cred_info, ptr_encryption_key, session, 0),
    FIELDOF_OPT(krb5_cred_info, realm_of_principal, client, 1, 1),
    FIELDOF_OPT(krb5_cred_info, principal, client, 2, 2),
    FIELDOF_OPT(krb5_cred_info, krb5_flags, flags, 3, 3),
    FIELDOF_OPT(krb5_cred_info, kerberos_time, times.authtime, 4, 4),
    FIELDOF_OPT(krb5_cred_info, kerberos_time, times.starttime, 5, 5),
    FIELDOF_OPT(krb5_cred_info, kerberos_time, times.endtime, 6, 6),
    FIELDOF_OPT(krb5_cred_info, kerberos_time, times.renew_till, 7, 7),
    FIELDOF_OPT(krb5_cred_info, realm_of_principal, server, 8, 8),
    FIELDOF_OPT(krb5_cred_info, principal, server, 9, 9),
    FIELDOF_OPT(krb5_cred_info, ptr_seqof_host_addresses, caddrs, 10, 10),
};
static unsigned int optional_krb_cred_info(const void *p)
{
    const krb5_cred_info *val = p;
    unsigned int optional = 0;

    if (val->caddrs != NULL && val->caddrs[0] != NULL)
        optional |= (1u << 10);
    if (val->server != NULL) {
        optional |= (1u << 9);
        optional |= (1u << 8);
    }
    if (val->times.renew_till)
        optional |= (1u << 7);
    if (val->times.endtime)
        optional |= (1u << 6);
    if (val->times.starttime)
        optional |= (1u << 5);
    if (val->times.authtime)
        optional |= (1u << 4);
    if (val->flags)
        optional |= (1u << 3);
    if (val->client != NULL) {
        optional |= (1u << 2);
        optional |= (1u << 1);
    }

    return optional;
}
DEFSEQTYPE(cred_info, krb5_cred_info, krb_cred_info_fields,
           optional_krb_cred_info);
DEFPTRTYPE(cred_info_ptr, cred_info);
DEFNULLTERMSEQOFTYPE(seq_of_cred_info, cred_info_ptr);

DEFPTRTYPE(ptrseqof_cred_info, seq_of_cred_info);



static unsigned int
optional_etype_info_entry(const void *vptr)
{
    const krb5_etype_info_entry *val = vptr;
    unsigned int optional = 0;

    if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
        optional |= (1u << 1);

    return optional;
}
static const struct field_info etype_info_entry_fields[] = {
    FIELDOF_NORM(krb5_etype_info_entry, int32, etype, 0),
    FIELDOF_OPTSTRING(krb5_etype_info_entry, octetstring, salt, length, 1, 1),
};
DEFSEQTYPE(etype_info_entry, krb5_etype_info_entry, etype_info_entry_fields,
           optional_etype_info_entry);

static unsigned int
optional_etype_info2_entry(const void *vptr)
{
    const krb5_etype_info_entry *val = vptr;
    unsigned int optional = 0;

    if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT)
        optional |= (1u << 1);
    if (val->s2kparams.data)
        optional |= (1u << 2);

    return optional;
}

static const struct field_info etype_info2_entry_fields[] = {
    FIELDOF_NORM(krb5_etype_info_entry, int32, etype, 0),
    FIELDOF_OPTSTRING(krb5_etype_info_entry, u_generalstring, salt, length,
                      1, 1),
    FIELDOF_OPT(krb5_etype_info_entry, ostring_data, s2kparams, 2, 2),
};
DEFSEQTYPE(etype_info2_entry, krb5_etype_info_entry, etype_info2_entry_fields,
           optional_etype_info2_entry);

DEFPTRTYPE(etype_info_entry_ptr, etype_info_entry);
DEFNULLTERMSEQOFTYPE(etype_info, etype_info_entry_ptr);

DEFPTRTYPE(etype_info2_entry_ptr, etype_info2_entry);
DEFNULLTERMSEQOFTYPE(etype_info2, etype_info2_entry_ptr);

static const struct field_info passwdsequence_fields[] = {
    FIELDOF_NORM(passwd_phrase_element, ostring_data_ptr, passwd, 0),
    FIELDOF_NORM(passwd_phrase_element, ostring_data_ptr, phrase, 1),
};
DEFSEQTYPE(passwdsequence, passwd_phrase_element, passwdsequence_fields, 0);

DEFPTRTYPE(passwdsequence_ptr, passwdsequence);
DEFNONEMPTYNULLTERMSEQOFTYPE(seqof_passwdsequence, passwdsequence_ptr);
DEFPTRTYPE(ptr_seqof_passwdsequence, seqof_passwdsequence);


static const struct field_info sam_challenge_fields[] = {
    FIELDOF_NORM(krb5_sam_challenge, int32, sam_type, 0),
    FIELDOF_NORM(krb5_sam_challenge, krb5_flags, sam_flags, 1),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_type_name, 2, 2),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_track_id,3, 3),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_challenge_label,4, 4),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_challenge,5, 5),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_response_prompt,6, 6),
    FIELDOF_OPT(krb5_sam_challenge, ostring_data, sam_pk_for_sad,7, 7),
    FIELDOF_OPT(krb5_sam_challenge, int32, sam_nonce, 8, 8),
    FIELDOF_OPT(krb5_sam_challenge, checksum, sam_cksum, 9, 9),
};
static unsigned int optional_sam_challenge(const void *p)
{
    const krb5_sam_challenge *val = p;
    unsigned int optional = 0;

    if (val->sam_cksum.length)
        optional |= (1u << 9);

    if (val->sam_nonce)
        optional |= (1u << 8);

    if (val->sam_pk_for_sad.length > 0) optional |= (1u << 7);
    if (val->sam_response_prompt.length > 0) optional |= (1u << 6);
    if (val->sam_challenge.length > 0) optional |= (1u << 5);
    if (val->sam_challenge_label.length > 0) optional |= (1u << 4);
    if (val->sam_track_id.length > 0) optional |= (1u << 3);
    if (val->sam_type_name.length > 0) optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(sam_challenge,krb5_sam_challenge,sam_challenge_fields,
           optional_sam_challenge);

#if 0 /* encoders not used! */
MAKE_ENCFN(asn1_encode_sequence_of_checksum, seq_of_checksum);
static asn1_error_code
asn1_encode_sam_challenge_2(asn1buf *buf, const krb5_sam_challenge_2 *val,
                            unsigned int *retlen)
{
    asn1_setup();
    if ( (!val) || (!val->sam_cksum) || (!val->sam_cksum[0]))
        return ASN1_MISSING_FIELD;

    asn1_addfield(val->sam_cksum, 1, asn1_encode_sequence_of_checksum);

    {
        unsigned int length;

        retval = asn1buf_insert_octetstring(buf, val->sam_challenge_2_body.length,
                                            (unsigned char *)val->sam_challenge_2_body.data);
        if (retval) {
            return retval;
        }
        sum += val->sam_challenge_2_body.length;
        retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
                                val->sam_challenge_2_body.length, &length);
        if (retval) {
            return retval;
        }
        sum += length;
    }

    asn1_makeseq();
    asn1_cleanup();
}
DEFFNXTYPE(sam_challenge_2, krb5_sam_challenge_2, asn1_encode_sam_challenge_2);

static const struct field_info sam_challenge_2_body_fields[] = {
    FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_type, 0),
    FIELDOF_NORM(krb5_sam_challenge_2_body, krb5_flags, sam_flags, 1),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_type_name, 2, 2),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_track_id,3, 3),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_challenge_label,4, 4),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_challenge,5, 5),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_response_prompt,6, 6),
    FIELDOF_OPT(krb5_sam_challenge_2_body, ostring_data, sam_pk_for_sad,7, 7),
    FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_nonce, 8),
    FIELDOF_NORM(krb5_sam_challenge_2_body, int32, sam_etype, 9),
};
static unsigned int optional_sam_challenge_2_body(const void *p)
{
    const krb5_sam_challenge_2_body *val = p;
    unsigned int optional = 0;

    if (val->sam_pk_for_sad.length > 0) optional |= (1u << 7);
    if (val->sam_response_prompt.length > 0) optional |= (1u << 6);
    if (val->sam_challenge.length > 0) optional |= (1u << 5);
    if (val->sam_challenge_label.length > 0) optional |= (1u << 4);
    if (val->sam_track_id.length > 0) optional |= (1u << 3);
    if (val->sam_type_name.length > 0) optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(sam_challenge_2_body,krb5_sam_challenge_2_body,sam_challenge_2_body_fields,
           optional_sam_challenge_2_body);
#endif

static const struct field_info sam_key_fields[] = {
    FIELDOF_NORM(krb5_sam_key, encryption_key, sam_key, 0),
};
DEFSEQTYPE(sam_key, krb5_sam_key, sam_key_fields, 0);

static const struct field_info enc_sam_response_enc_fields[] = {
    FIELDOF_NORM(krb5_enc_sam_response_enc, int32, sam_nonce, 0),
    FIELDOF_NORM(krb5_enc_sam_response_enc, kerberos_time, sam_timestamp, 1),
    FIELDOF_NORM(krb5_enc_sam_response_enc, int32, sam_usec, 2),
    FIELDOF_OPT(krb5_enc_sam_response_enc, ostring_data, sam_sad, 3, 3),
};
static unsigned int optional_enc_sam_response_enc(const void *p)
{
    const krb5_enc_sam_response_enc *val = p;
    unsigned int optional = 0;

    if (val->sam_sad.length > 0) optional |= (1u << 3);

    return optional;
}
DEFSEQTYPE(enc_sam_response_enc, krb5_enc_sam_response_enc,
           enc_sam_response_enc_fields, optional_enc_sam_response_enc);

static const struct field_info enc_sam_response_enc_2_fields[] = {
    FIELDOF_NORM(krb5_enc_sam_response_enc_2, int32, sam_nonce, 0),
    FIELDOF_OPT(krb5_enc_sam_response_enc_2, ostring_data, sam_sad, 1, 1),
};
static unsigned int optional_enc_sam_response_enc_2(const void *p)
{
    const krb5_enc_sam_response_enc_2 *val = p;
    unsigned int optional = 0;

    if (val->sam_sad.length > 0) optional |= (1u << 1);

    return optional;
}
DEFSEQTYPE(enc_sam_response_enc_2, krb5_enc_sam_response_enc_2,
           enc_sam_response_enc_2_fields, optional_enc_sam_response_enc_2);

static const struct field_info sam_response_fields[] = {
    FIELDOF_NORM(krb5_sam_response, int32, sam_type, 0),
    FIELDOF_NORM(krb5_sam_response, krb5_flags, sam_flags, 1),
    FIELDOF_OPT(krb5_sam_response, ostring_data, sam_track_id, 2, 2),
    FIELDOF_OPT(krb5_sam_response, encrypted_data, sam_enc_key, 3, 3),
    FIELDOF_NORM(krb5_sam_response, encrypted_data, sam_enc_nonce_or_ts, 4),
    FIELDOF_OPT(krb5_sam_response, int32, sam_nonce, 5, 5),
    FIELDOF_OPT(krb5_sam_response, kerberos_time, sam_patimestamp, 6, 6),
};
static unsigned int optional_sam_response(const void *p)
{
    const krb5_sam_response *val = p;
    unsigned int optional = 0;

    if (val->sam_patimestamp)
        optional |= (1u << 6);
    if (val->sam_nonce)
        optional |= (1u << 5);
    if (val->sam_enc_key.ciphertext.length)
        optional |= (1u << 3);
    if (val->sam_track_id.length > 0) optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(sam_response, krb5_sam_response, sam_response_fields,
           optional_sam_response);

static const struct field_info sam_response_2_fields[] = {
    FIELDOF_NORM(krb5_sam_response_2, int32, sam_type, 0),
    FIELDOF_NORM(krb5_sam_response_2, krb5_flags, sam_flags, 1),
    FIELDOF_OPT(krb5_sam_response_2, ostring_data, sam_track_id, 2, 2),
    FIELDOF_NORM(krb5_sam_response_2, encrypted_data, sam_enc_nonce_or_sad, 3),
    FIELDOF_NORM(krb5_sam_response_2, int32, sam_nonce, 4),
};
static unsigned int optional_sam_response_2(const void *p)
{
    const krb5_sam_response_2 *val = p;
    unsigned int optional = 0;

    if (val->sam_track_id.length > 0) optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(sam_response_2, krb5_sam_response_2, sam_response_2_fields,
           optional_sam_response_2);

static const struct field_info predicted_sam_response_fields[] = {
    FIELDOF_NORM(krb5_predicted_sam_response, encryption_key, sam_key, 0),
    FIELDOF_NORM(krb5_predicted_sam_response, krb5_flags, sam_flags, 1),
    FIELDOF_NORM(krb5_predicted_sam_response, kerberos_time, stime, 2),
    FIELDOF_NORM(krb5_predicted_sam_response, int32, susec, 3),
    FIELDOF_NORM(krb5_predicted_sam_response, realm_of_principal, client, 4),
    FIELDOF_NORM(krb5_predicted_sam_response, principal, client, 5),
    FIELDOF_OPT(krb5_predicted_sam_response, ostring_data, msd, 6, 6),
};
static unsigned int optional_predicted_sam_response(const void *p)
{
    const krb5_predicted_sam_response *val = p;
    unsigned int optional = 0;

    if (val->msd.length > 0) optional |= (1u << 6);

    return optional;
}
DEFSEQTYPE(predicted_sam_response, krb5_predicted_sam_response,
           predicted_sam_response_fields,
           optional_predicted_sam_response);

static const struct field_info krb5_authenticator_fields[] = {
    /* Authenticator ::= [APPLICATION 2] SEQUENCE */
    /* authenticator-vno[0]     INTEGER */
    FIELD_INT_IMM(KVNO, 0),
    /* crealm[1]                        Realm */
    FIELDOF_NORM(krb5_authenticator, realm_of_principal, client, 1),
    /* cname[2]                 PrincipalName */
    FIELDOF_NORM(krb5_authenticator, principal, client, 2),
    /* cksum[3]                 Checksum OPTIONAL */
    FIELDOF_OPT(krb5_authenticator, checksum_ptr, checksum, 3, 3),
    /* cusec[4]                 INTEGER */
    FIELDOF_NORM(krb5_authenticator, int32, cusec, 4),
    /* ctime[5]                 KerberosTime */
    FIELDOF_NORM(krb5_authenticator, kerberos_time, ctime, 5),
    /* subkey[6]                        EncryptionKey OPTIONAL */
    FIELDOF_OPT(krb5_authenticator, ptr_encryption_key, subkey, 6, 6),
    /* seq-number[7]            INTEGER OPTIONAL */
    FIELDOF_OPT(krb5_authenticator, uint, seq_number, 7, 7),
    /* authorization-data[8]    AuthorizationData OPTIONAL */
    FIELDOF_OPT(krb5_authenticator, auth_data_ptr, authorization_data, 8, 8),
};
static unsigned int optional_krb5_authenticator(const void *p)
{
    const krb5_authenticator *val = p;
    unsigned int optional = 0;

    if (val->authorization_data != NULL && val->authorization_data[0] != NULL)
        optional |= (1u << 8);

    if (val->seq_number != 0)
        optional |= (1u << 7);

    if (val->subkey != NULL)
        optional |= (1u << 6);

    if (val->checksum != NULL)
        optional |= (1u << 3);

    return optional;
}
DEFSEQTYPE(untagged_krb5_authenticator, krb5_authenticator, krb5_authenticator_fields,
           optional_krb5_authenticator);
DEFAPPTAGGEDTYPE(krb5_authenticator, 2, untagged_krb5_authenticator);

static const struct field_info enc_tkt_part_fields[] = {
    /* EncTicketPart ::= [APPLICATION 3] SEQUENCE */
    /* flags[0]                 TicketFlags */
    FIELDOF_NORM(krb5_enc_tkt_part, krb5_flags, flags, 0),
    /* key[1]                   EncryptionKey */
    FIELDOF_NORM(krb5_enc_tkt_part, ptr_encryption_key, session, 1),
    /* crealm[2]                        Realm */
    FIELDOF_NORM(krb5_enc_tkt_part, realm_of_principal, client, 2),
    /* cname[3]                 PrincipalName */
    FIELDOF_NORM(krb5_enc_tkt_part, principal, client, 3),
    /* transited[4]             TransitedEncoding */
    FIELDOF_NORM(krb5_enc_tkt_part, transited, transited, 4),
    /* authtime[5]              KerberosTime */
    FIELDOF_NORM(krb5_enc_tkt_part, kerberos_time, times.authtime, 5),
    /* starttime[6]             KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_enc_tkt_part, kerberos_time, times.starttime, 6, 6),
    /* endtime[7]                       KerberosTime */
    FIELDOF_NORM(krb5_enc_tkt_part, kerberos_time, times.endtime, 7),
    /* renew-till[8]            KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_enc_tkt_part, kerberos_time, times.renew_till, 8, 8),
    /* caddr[9]                 HostAddresses OPTIONAL */
    FIELDOF_OPT(krb5_enc_tkt_part, ptr_seqof_host_addresses, caddrs, 9, 9),
    /* authorization-data[10]   AuthorizationData OPTIONAL */
    FIELDOF_OPT(krb5_enc_tkt_part, auth_data_ptr, authorization_data, 10, 10),
};
static unsigned int optional_enc_tkt_part(const void *p)
{
    const krb5_enc_tkt_part *val = p;
    unsigned int optional = 0;

    if (val->authorization_data != NULL && val->authorization_data[0] != NULL)
        optional |= (1u << 10);
    if (val->caddrs != NULL && val->caddrs[0] != NULL)
        optional |= (1u << 9);
    if (val->times.renew_till)
        optional |= (1u << 8);
    if (val->times.starttime)
        optional |= (1u << 6);

    return optional;
}
DEFSEQTYPE(untagged_enc_tkt_part, krb5_enc_tkt_part, enc_tkt_part_fields,
           optional_enc_tkt_part);
DEFAPPTAGGEDTYPE(enc_tkt_part, 3, untagged_enc_tkt_part);

DEFAPPTAGGEDTYPE(enc_tgs_rep_part, 26, enc_kdc_rep_part);

static const struct field_info as_rep_fields[] = {
    /* AS-REP ::= [APPLICATION 11] KDC-REP */
    /* But KDC-REP needs to know what type it's being encapsulated
       in, so expand each version.  */
    FIELD_INT_IMM(KVNO, 0),
    FIELD_INT_IMM(KRB5_AS_REP, 1),
    FIELDOF_OPT(krb5_kdc_rep, ptr_seqof_pa_data, padata, 2, 2),
    FIELDOF_NORM(krb5_kdc_rep, realm_of_principal, client, 3),
    FIELDOF_NORM(krb5_kdc_rep, principal, client, 4),
    FIELDOF_NORM(krb5_kdc_rep, ticket_ptr, ticket, 5),
    FIELDOF_NORM(krb5_kdc_rep, encrypted_data, enc_part, 6),
};
static unsigned int optional_as_rep(const void *p)
{
    const krb5_kdc_rep *val = p;
    unsigned int optional = 0;

    if (val->padata != NULL && val->padata[0] != NULL)
        optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(untagged_as_rep, krb5_kdc_rep, as_rep_fields, optional_as_rep);
DEFAPPTAGGEDTYPE(as_rep, 11, untagged_as_rep);

static const struct field_info tgs_rep_fields[] = {
    /* TGS-REP ::= [APPLICATION 13] KDC-REP */
    /* But KDC-REP needs to know what type it's being encapsulated
       in, so expand each version.  */
    FIELD_INT_IMM(KVNO, 0),
    FIELD_INT_IMM(KRB5_TGS_REP, 1),
    FIELDOF_OPT(krb5_kdc_rep, ptr_seqof_pa_data, padata, 2, 2),
    FIELDOF_NORM(krb5_kdc_rep, realm_of_principal, client, 3),
    FIELDOF_NORM(krb5_kdc_rep, principal, client, 4),
    FIELDOF_NORM(krb5_kdc_rep, ticket_ptr, ticket, 5),
    FIELDOF_NORM(krb5_kdc_rep, encrypted_data, enc_part, 6),
};
static unsigned int optional_tgs_rep(const void *p)
{
    const krb5_kdc_rep *val = p;
    unsigned int optional = 0;

    if (val->padata != NULL && val->padata[0] != NULL)
        optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(untagged_tgs_rep, krb5_kdc_rep, tgs_rep_fields, optional_tgs_rep);
DEFAPPTAGGEDTYPE(tgs_rep, 13, untagged_tgs_rep);

static const struct field_info ap_req_fields[] = {
    /* AP-REQ ::=       [APPLICATION 14] SEQUENCE */
    /* pvno[0]          INTEGER */
    FIELD_INT_IMM(KVNO, 0),
    /* msg-type[1]      INTEGER */
    FIELD_INT_IMM(ASN1_KRB_AP_REQ, 1),
    /* ap-options[2]    APOptions */
    FIELDOF_NORM(krb5_ap_req, krb5_flags, ap_options, 2),
    /* ticket[3]                Ticket */
    FIELDOF_NORM(krb5_ap_req, ticket_ptr, ticket, 3),
    /* authenticator[4] EncryptedData */
    FIELDOF_NORM(krb5_ap_req, encrypted_data, authenticator, 4),
};
DEFSEQTYPE(untagged_ap_req, krb5_ap_req, ap_req_fields, 0);
DEFAPPTAGGEDTYPE(ap_req, 14, untagged_ap_req);

static const struct field_info ap_rep_fields[] = {
    /* AP-REP ::=       [APPLICATION 15] SEQUENCE */
    /* pvno[0]          INTEGER */
    FIELD_INT_IMM(KVNO, 0),
    /* msg-type[1]      INTEGER */
    FIELD_INT_IMM(ASN1_KRB_AP_REP, 1),
    /* enc-part[2]      EncryptedData */
    FIELDOF_NORM(krb5_ap_rep, encrypted_data, enc_part, 2),
};
DEFSEQTYPE(untagged_ap_rep, krb5_ap_rep, ap_rep_fields, 0);
DEFAPPTAGGEDTYPE(ap_rep, 15, untagged_ap_rep);

static const struct field_info ap_rep_enc_part_fields[] = {
    /* EncAPRepPart ::= [APPLICATION 27] SEQUENCE */
    /* ctime[0]         KerberosTime */
    FIELDOF_NORM(krb5_ap_rep_enc_part, kerberos_time, ctime, 0),
    /* cusec[1]         INTEGER */
    FIELDOF_NORM(krb5_ap_rep_enc_part, int32, cusec, 1),
    /* subkey[2]                EncryptionKey OPTIONAL */
    FIELDOF_OPT(krb5_ap_rep_enc_part, ptr_encryption_key, subkey, 2, 2),
    /* seq-number[3]    INTEGER OPTIONAL */
    FIELDOF_OPT(krb5_ap_rep_enc_part, uint, seq_number, 3, 3),
};
static unsigned int optional_ap_rep_enc_part(const void *p)
{
    const krb5_ap_rep_enc_part *val = p;
    unsigned int optional = 0;

    if (val->seq_number)
        optional |= (1u << 3);
    if (val->subkey != NULL)
        optional |= (1u << 2);

    return optional;
}
DEFSEQTYPE(untagged_ap_rep_enc_part, krb5_ap_rep_enc_part,
           ap_rep_enc_part_fields, optional_ap_rep_enc_part);
DEFAPPTAGGEDTYPE(ap_rep_enc_part, 27, untagged_ap_rep_enc_part);

static const struct field_info as_req_fields[] = {
    /* AS-REQ ::= [APPLICATION 10] KDC-REQ */
    FIELD_INT_IMM(KVNO, 1),
    FIELD_INT_IMM(KRB5_AS_REQ, 2),
    FIELDOF_OPT(krb5_kdc_req, ptr_seqof_pa_data, padata, 3, 3),
    FIELDOF_ENCODEAS(krb5_kdc_req, kdc_req_body, 4),
};
static unsigned int optional_as_req(const void *p)
{
    const krb5_kdc_req *val = p;
    unsigned int optional = 0;

    if (val->padata != NULL && val->padata[0] != NULL)
        optional |= (1u << 3);

    return optional;
}
DEFSEQTYPE(untagged_as_req, krb5_kdc_req, as_req_fields, optional_as_req);
DEFAPPTAGGEDTYPE(as_req, 10, untagged_as_req);

static const struct field_info tgs_req_fields[] = {
    /* TGS-REQ ::= [APPLICATION 12] KDC-REQ */
    FIELD_INT_IMM(KVNO, 1),
    FIELD_INT_IMM(KRB5_TGS_REQ, 2),
    FIELDOF_OPT(krb5_kdc_req, ptr_seqof_pa_data, padata, 3, 3),
    FIELDOF_ENCODEAS(krb5_kdc_req, kdc_req_body, 4),
};
static unsigned int optional_tgs_req(const void *p)
{
    const krb5_kdc_req *val = p;
    unsigned int optional = 0;

    if (val->padata != NULL && val->padata[0] != NULL)
        optional |= (1u << 3);

    return optional;
}
DEFSEQTYPE(untagged_tgs_req, krb5_kdc_req, tgs_req_fields,
           optional_tgs_req);
DEFAPPTAGGEDTYPE(tgs_req, 12, untagged_tgs_req);

static const struct field_info krb5_safe_fields[] = {
    FIELD_INT_IMM(KVNO, 0),
    FIELD_INT_IMM(ASN1_KRB_SAFE,1),
    FIELD_SELF(krb_safe_body, 2),
    FIELDOF_NORM(krb5_safe, checksum_ptr, checksum, 3),
};
DEFSEQTYPE(untagged_krb5_safe, krb5_safe, krb5_safe_fields, 0);
DEFAPPTAGGEDTYPE(krb5_safe, 20, untagged_krb5_safe);

DEFPTRTYPE(krb_saved_safe_body_ptr, opaque_data);
DEFFIELDTYPE(krb5_safe_checksum_only, krb5_safe,
             FIELDOF_NORM(krb5_safe, checksum_ptr, checksum, -1));
DEFPTRTYPE(krb5_safe_checksum_only_ptr, krb5_safe_checksum_only);
static const struct field_info krb5_safe_with_body_fields[] = {
    FIELD_INT_IMM(KVNO, 0),
    FIELD_INT_IMM(ASN1_KRB_SAFE,1),
    FIELDOF_NORM(struct krb5_safe_with_body, krb_saved_safe_body_ptr, body, 2),
    FIELDOF_NORM(struct krb5_safe_with_body, krb5_safe_checksum_only_ptr, safe, 3),
};
DEFSEQTYPE(untagged_krb5_safe_with_body, struct krb5_safe_with_body,
           krb5_safe_with_body_fields, 0);
DEFAPPTAGGEDTYPE(krb5_safe_with_body, 20, untagged_krb5_safe_with_body);

static const struct field_info priv_fields[] = {
    FIELD_INT_IMM(KVNO, 0),
    FIELD_INT_IMM(ASN1_KRB_PRIV, 1),
    FIELDOF_NORM(krb5_priv, encrypted_data, enc_part, 3),
};
DEFSEQTYPE(untagged_priv, krb5_priv, priv_fields, 0);
DEFAPPTAGGEDTYPE(krb5_priv, 21, untagged_priv);

static const struct field_info priv_enc_part_fields[] = {
    FIELDOF_NORM(krb5_priv_enc_part, ostring_data, user_data, 0),
    FIELDOF_OPT(krb5_priv_enc_part, kerberos_time, timestamp, 1, 1),
    FIELDOF_OPT(krb5_priv_enc_part, int32, usec, 2, 2),
    FIELDOF_OPT(krb5_priv_enc_part, uint, seq_number, 3, 3),
    FIELDOF_NORM(krb5_priv_enc_part, address_ptr, s_address, 4),
    FIELDOF_OPT(krb5_priv_enc_part, address_ptr, r_address, 5, 5),
};
static unsigned int optional_priv_enc_part(const void *p)
{
    const krb5_priv_enc_part *val = p;
    unsigned int optional = 0;

    if (val->timestamp) {
        optional |= (1u << 2);
        optional |= (1u << 1);
    }
    if (val->seq_number)
        optional |= (1u << 3);
    if (val->r_address)
        optional |= (1u << 5);

    return optional;
}
DEFSEQTYPE(untagged_priv_enc_part, krb5_priv_enc_part, priv_enc_part_fields,
           optional_priv_enc_part);
DEFAPPTAGGEDTYPE(priv_enc_part, 28, untagged_priv_enc_part);

static const struct field_info cred_fields[] = {
    /* KRB-CRED ::= [APPLICATION 22] SEQUENCE */
    /* pvno[0]          INTEGER */
    FIELD_INT_IMM(KVNO, 0),
    /* msg-type[1]      INTEGER, -- KRB_CRED */
    FIELD_INT_IMM(ASN1_KRB_CRED, 1),
    /* tickets[2]       SEQUENCE OF Ticket */
    FIELDOF_NORM(krb5_cred, ptr_seqof_ticket, tickets, 2),
    /* enc-part[3]      EncryptedData */
    FIELDOF_NORM(krb5_cred, encrypted_data, enc_part, 3),
};
DEFSEQTYPE(untagged_cred, krb5_cred, cred_fields, 0);
DEFAPPTAGGEDTYPE(krb5_cred, 22, untagged_cred);

static const struct field_info enc_cred_part_fields[] = {
    /* EncKrbCredPart ::= [APPLICATION 29] SEQUENCE */
    /* ticket-info[0]   SEQUENCE OF KrbCredInfo */
    FIELDOF_NORM(krb5_cred_enc_part, ptrseqof_cred_info, ticket_info, 0),
    /* nonce[1]         INTEGER OPTIONAL */
    FIELDOF_OPT(krb5_cred_enc_part, int32, nonce, 1, 1),
    /* timestamp[2]     KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_cred_enc_part, kerberos_time, timestamp, 2, 2),
    /* usec[3]          INTEGER OPTIONAL */
    FIELDOF_OPT(krb5_cred_enc_part, int32, usec, 3, 3),
    /* s-address[4]     HostAddress OPTIONAL */
    FIELDOF_OPT(krb5_cred_enc_part, address_ptr, s_address, 4, 4),
    /* r-address[5]     HostAddress OPTIONAL */
    FIELDOF_OPT(krb5_cred_enc_part, address_ptr, r_address, 5, 5),
};
static unsigned int optional_enc_cred_part(const void *p)
{
    const krb5_cred_enc_part *val = p;
    unsigned int optional = 0;

    if (val->r_address != NULL)
        optional |= (1u << 5);

    if (val->s_address != NULL)
        optional |= (1u << 4);

    if (val->timestamp) {
        optional |= (1u << 2);
        optional |= (1u << 3);
    }

    if (val->nonce)
        optional |= (1u << 1);

    return optional;
}
DEFSEQTYPE(untagged_enc_cred_part, krb5_cred_enc_part, enc_cred_part_fields,
           optional_enc_cred_part);
DEFAPPTAGGEDTYPE(enc_cred_part, 29, untagged_enc_cred_part);

static const struct field_info error_fields[] = {
    /* KRB-ERROR ::= [APPLICATION 30] SEQUENCE */
    /* pvno[0]          INTEGER */
    FIELD_INT_IMM(KVNO, 0),
    /* msg-type[1]      INTEGER */
    FIELD_INT_IMM(ASN1_KRB_ERROR, 1),
    /* ctime[2]         KerberosTime OPTIONAL */
    FIELDOF_OPT(krb5_error, kerberos_time, ctime, 2, 2),
    /* cusec[3]         INTEGER OPTIONAL */
    FIELDOF_OPT(krb5_error, int32, cusec, 3, 3),
    /* stime[4]         KerberosTime */
    FIELDOF_NORM(krb5_error, kerberos_time, stime, 4),
    /* susec[5]         INTEGER */
    FIELDOF_NORM(krb5_error, int32, susec, 5),
    /* error-code[6]    INTEGER */
    FIELDOF_NORM(krb5_error, ui_4, error, 6),
    /* crealm[7]        Realm OPTIONAL */
    FIELDOF_OPT(krb5_error, realm_of_principal, client, 7, 7),
    /* cname[8]         PrincipalName OPTIONAL */
    FIELDOF_OPT(krb5_error, principal, client, 8, 8),
    /* realm[9]         Realm -- Correct realm */
    FIELDOF_NORM(krb5_error, realm_of_principal, server, 9),
    /* sname[10]        PrincipalName -- Correct name */
    FIELDOF_NORM(krb5_error, principal, server, 10),
    /* e-text[11]       GeneralString OPTIONAL */
    FIELDOF_OPT(krb5_error, gstring_data, text, 11, 11),
    /* e-data[12]       OCTET STRING OPTIONAL */
    FIELDOF_OPT(krb5_error, ostring_data, e_data, 12, 12),
};
static unsigned int optional_error(const void *p)
{
    const krb5_error *val = p;
    unsigned int optional = 0;

    if (val->ctime)
        optional |= (1u << 2);
    if (val->cusec)
        optional |= (1u << 3);
    if (val->client) {
        optional |= (1u << 7);
        optional |= (1u << 8);
    }
    if (val->text.data != NULL && val->text.length > 0)
        optional |= (1u << 11);
    if (val->e_data.data != NULL && val->e_data.length > 0)
        optional |= (1u << 12);

    return optional;
}
DEFSEQTYPE(untagged_krb5_error, krb5_error, error_fields, optional_error);
DEFAPPTAGGEDTYPE(krb5_error, 30, untagged_krb5_error);

static const struct field_info alt_method_fields[] = {
    FIELDOF_NORM(krb5_alt_method, int32, method, 0),
    FIELDOF_OPTSTRING(krb5_alt_method, octetstring, data, length, 1, 1),
};
static unsigned int
optional_alt_method(const void *p)
{
    const krb5_alt_method *a = p;
    unsigned int optional = 0;

    if (a->data != NULL && a->length > 0)
        optional |= (1u << 1);

    return optional;
}
DEFSEQTYPE(alt_method, krb5_alt_method, alt_method_fields, optional_alt_method);

static const struct field_info pa_enc_ts_fields[] = {
    FIELDOF_NORM(krb5_pa_enc_ts, kerberos_time, patimestamp, 0),
    FIELDOF_OPT(krb5_pa_enc_ts, int32, pausec, 1, 1),
};
static unsigned int
optional_pa_enc_ts(const void *p)
{
    const krb5_pa_enc_ts *val = p;
    unsigned int optional = 0;

    if (val->pausec)
        optional |= (1u << 1);

    return optional;
}
DEFSEQTYPE(pa_enc_ts, krb5_pa_enc_ts, pa_enc_ts_fields, optional_pa_enc_ts);

static const struct field_info pwd_data_fields[] = {
    FIELDOF_NORM(krb5_pwd_data, int32, sequence_count, 0),
    FIELDOF_NORM(krb5_pwd_data, ptr_seqof_passwdsequence, element, 1),
};
DEFSEQTYPE(pwd_data, krb5_pwd_data, pwd_data_fields, 0);

static const struct field_info setpw_req_fields[] = {
    FIELDOF_NORM(struct krb5_setpw_req, ostring_data, password, 0),
    FIELDOF_NORM(struct krb5_setpw_req, principal, target, 1),
    FIELDOF_NORM(struct krb5_setpw_req, realm_of_principal, target, 2),
};

DEFSEQTYPE(setpw_req, struct krb5_setpw_req, setpw_req_fields, 0);

/* [MS-SFU] Section 2.2.1. */
static const struct field_info pa_for_user_fields[] = {
    FIELDOF_NORM(krb5_pa_for_user, principal, user, 0),
    FIELDOF_NORM(krb5_pa_for_user, realm_of_principal, user, 1),
    FIELDOF_NORM(krb5_pa_for_user, checksum, cksum, 2),
    FIELDOF_NORM(krb5_pa_for_user, gstring_data, auth_package, 3),
};

DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields, 0);

/* draft-ietf-krb-wg-kerberos-referrals Appendix A. */
static const struct field_info pa_svr_referral_data_fields[] = {
    FIELDOF_NORM(krb5_pa_svr_referral_data, realm_of_principal, principal, 0),
    FIELDOF_OPT(krb5_pa_svr_referral_data, principal, principal, 1, 1),
};

DEFSEQTYPE(pa_svr_referral_data, krb5_pa_svr_referral_data, pa_svr_referral_data_fields, 0);

/* draft-ietf-krb-wg-kerberos-referrals Section 8. */
static const struct field_info pa_server_referral_data_fields[] = {
    FIELDOF_OPT(krb5_pa_server_referral_data, gstring_data_ptr, referred_realm, 0, 0),
    FIELDOF_OPT(krb5_pa_server_referral_data, principal, true_principal_name, 1, 1),
    FIELDOF_OPT(krb5_pa_server_referral_data, principal, requested_principal_name, 2, 2),
    FIELDOF_OPT(krb5_pa_server_referral_data, kerberos_time, referral_valid_until, 3, 3),
    FIELDOF_NORM(krb5_pa_server_referral_data, checksum, rep_cksum, 4),
};

DEFSEQTYPE(pa_server_referral_data, krb5_pa_server_referral_data, pa_server_referral_data_fields, 0);

#if 0
/* draft-brezak-win2k-krb-authz Section 6. */
static const struct field_info pa_pac_request_fields[] = {
    FIELDOF_NORM(krb5_pa_pac_req, boolean, include_pac, 0),
};

DEFSEQTYPE(pa_pac_request, krb5_pa_pac_req, pa_pac_request_fields, 0);
#endif

/* RFC 4537 */
DEFFIELDTYPE(etype_list, krb5_etype_list,
             FIELDOF_SEQOF_INT32(krb5_etype_list, int32_ptr, etypes, length, -1));

/* draft-ietf-krb-wg-preauth-framework-09 */
static const struct field_info fast_armor_fields[] = {
    FIELDOF_NORM(krb5_fast_armor, int32, armor_type, 0),
    FIELDOF_NORM( krb5_fast_armor, ostring_data, armor_value, 1),
};

DEFSEQTYPE( fast_armor, krb5_fast_armor, fast_armor_fields, 0);
DEFPTRTYPE( ptr_fast_armor, fast_armor);

static const struct field_info fast_armored_req_fields[] = {
    FIELDOF_OPT( krb5_fast_armored_req, ptr_fast_armor, armor, 0, 0),
    FIELDOF_NORM( krb5_fast_armored_req, checksum, req_checksum, 1),
    FIELDOF_NORM( krb5_fast_armored_req, encrypted_data, enc_part, 2),
};

static unsigned int fast_armored_req_optional (const void *p) {
    const krb5_fast_armored_req *val = p;
    unsigned int optional = 0;
    if (val->armor)
        optional |= (1u)<<0;
    return optional;
}

DEFSEQTYPE( fast_armored_req, krb5_fast_armored_req, fast_armored_req_fields, fast_armored_req_optional);
DEFFIELDTYPE( pa_fx_fast_request, krb5_fast_armored_req,
              FIELDOF_ENCODEAS( krb5_fast_armored_req, fast_armored_req, 0));

DEFFIELDTYPE(fast_req_padata, krb5_kdc_req,
             FIELDOF_NORM(krb5_kdc_req, ptr_seqof_pa_data, padata, -1));
DEFPTRTYPE(ptr_fast_req_padata, fast_req_padata);

static const struct field_info fast_req_fields[] = {
    FIELDOF_NORM(krb5_fast_req, krb5_flags, fast_options, 0),
    FIELDOF_NORM( krb5_fast_req, ptr_fast_req_padata, req_body, 1),
    FIELDOF_NORM( krb5_fast_req, ptr_kdc_req_body, req_body, 2),
};

DEFSEQTYPE(fast_req, krb5_fast_req, fast_req_fields, 0);


static const struct field_info fast_finished_fields[] = {
    FIELDOF_NORM( krb5_fast_finished, kerberos_time, timestamp, 0),
    FIELDOF_NORM( krb5_fast_finished, int32, usec, 1),
    FIELDOF_NORM( krb5_fast_finished, realm_of_principal, client, 2),
    FIELDOF_NORM(krb5_fast_finished, principal, client, 3),
    FIELDOF_NORM( krb5_fast_finished, checksum, ticket_checksum, 4),
};

DEFSEQTYPE( fast_finished, krb5_fast_finished, fast_finished_fields, 0);

DEFPTRTYPE( ptr_fast_finished, fast_finished);

static const struct field_info fast_response_fields[] = {
    FIELDOF_NORM(krb5_fast_response, ptr_seqof_pa_data, padata, 0),
    FIELDOF_OPT( krb5_fast_response, ptr_encryption_key, strengthen_key, 1, 1),
    FIELDOF_OPT( krb5_fast_response, ptr_fast_finished, finished, 2, 2),
    FIELDOF_NORM(krb5_fast_response, int32, nonce, 3),
};

static unsigned int fast_response_optional (const void *p)
{
    unsigned int optional = 0;
    const krb5_fast_response *val = p;
    if (val->strengthen_key)
        optional |= (1u <<1);
    if (val->finished)
        optional |= (1u<<2);
    return optional;
}
DEFSEQTYPE( fast_response, krb5_fast_response, fast_response_fields, fast_response_optional);

static const struct field_info fast_rep_fields[] = {
  FIELDOF_ENCODEAS(krb5_enc_data, encrypted_data, 0),
};
DEFSEQTYPE(fast_rep, krb5_enc_data, fast_rep_fields, 0);

DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data,
             FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0));




/* Exported complete encoders -- these produce a krb5_data with
   the encoding in the correct byte order.  */

MAKE_FULL_ENCODER(encode_krb5_authenticator, krb5_authenticator);
MAKE_FULL_ENCODER(encode_krb5_ticket, ticket);
MAKE_FULL_ENCODER(encode_krb5_encryption_key, encryption_key);
MAKE_FULL_ENCODER(encode_krb5_enc_tkt_part, enc_tkt_part);
/* XXX We currently (for backwards compatibility) encode both
   EncASRepPart and EncTGSRepPart with application tag 26.  */
MAKE_FULL_ENCODER(encode_krb5_enc_kdc_rep_part, enc_tgs_rep_part);
MAKE_FULL_ENCODER(encode_krb5_as_rep, as_rep);
MAKE_FULL_ENCODER(encode_krb5_tgs_rep, tgs_rep);
MAKE_FULL_ENCODER(encode_krb5_ap_req, ap_req);
MAKE_FULL_ENCODER(encode_krb5_ap_rep, ap_rep);
MAKE_FULL_ENCODER(encode_krb5_ap_rep_enc_part, ap_rep_enc_part);
MAKE_FULL_ENCODER(encode_krb5_as_req, as_req);
MAKE_FULL_ENCODER(encode_krb5_tgs_req, tgs_req);
MAKE_FULL_ENCODER(encode_krb5_kdc_req_body, kdc_req_body);
MAKE_FULL_ENCODER(encode_krb5_safe, krb5_safe);

/*
 * encode_krb5_safe_with_body
 *
 * Like encode_krb5_safe(), except takes a saved KRB-SAFE-BODY
 * encoding to avoid problems with re-encoding.
 */
MAKE_FULL_ENCODER(encode_krb5_safe_with_body, krb5_safe_with_body);

MAKE_FULL_ENCODER(encode_krb5_priv, krb5_priv);
MAKE_FULL_ENCODER(encode_krb5_enc_priv_part, priv_enc_part);
MAKE_FULL_ENCODER(encode_krb5_cred, krb5_cred);
MAKE_FULL_ENCODER(encode_krb5_enc_cred_part, enc_cred_part);
MAKE_FULL_ENCODER(encode_krb5_error, krb5_error);
MAKE_FULL_ENCODER(encode_krb5_authdata, auth_data);
MAKE_FULL_ENCODER(encode_krb5_authdata_elt, authdata_elt);
MAKE_FULL_ENCODER(encode_krb5_alt_method, alt_method);
MAKE_FULL_ENCODER(encode_krb5_etype_info, etype_info);
MAKE_FULL_ENCODER(encode_krb5_etype_info2, etype_info2);
MAKE_FULL_ENCODER(encode_krb5_enc_data, encrypted_data);
MAKE_FULL_ENCODER(encode_krb5_pa_enc_ts, pa_enc_ts);
/* Sandia Additions */
MAKE_FULL_ENCODER(encode_krb5_pwd_sequence, passwdsequence);
MAKE_FULL_ENCODER(encode_krb5_pwd_data, pwd_data);
MAKE_FULL_ENCODER(encode_krb5_padata_sequence, seq_of_pa_data);
/* sam preauth additions */
MAKE_FULL_ENCODER(encode_krb5_sam_challenge, sam_challenge);
#if 0 /* encoders not used! */
MAKE_FULL_ENCODER(encode_krb5_sam_challenge_2, sam_challenge_2);
MAKE_FULL_ENCODER(encode_krb5_sam_challenge_2_body,
                  sam_challenge_2_body);
#endif
MAKE_FULL_ENCODER(encode_krb5_sam_key, sam_key);
MAKE_FULL_ENCODER(encode_krb5_enc_sam_response_enc,
                  enc_sam_response_enc);
MAKE_FULL_ENCODER(encode_krb5_enc_sam_response_enc_2,
                  enc_sam_response_enc_2);
MAKE_FULL_ENCODER(encode_krb5_sam_response, sam_response);
MAKE_FULL_ENCODER(encode_krb5_sam_response_2, sam_response_2);
MAKE_FULL_ENCODER(encode_krb5_predicted_sam_response,
                  predicted_sam_response);
MAKE_FULL_ENCODER(encode_krb5_setpw_req, setpw_req);
MAKE_FULL_ENCODER(encode_krb5_pa_for_user, pa_for_user);
MAKE_FULL_ENCODER(encode_krb5_pa_svr_referral_data, pa_svr_referral_data);
MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data);
MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list);

MAKE_FULL_ENCODER(encode_krb5_pa_fx_fast_request, pa_fx_fast_request);
MAKE_FULL_ENCODER( encode_krb5_fast_req, fast_req);
MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response);






/*
 * PKINIT
 */

/* This code hasn't been converted to use the above framework yet,
   because we currently have no test cases to validate the new
   version.  It *also* appears that some of the encodings may disagree
   with the specifications, but that's a separate problem.  */

/**** asn1 macros ****/
#if 0
   How to write an asn1 encoder function using these macros:

   asn1_error_code asn1_encode_krb5_substructure(asn1buf *buf,
                                                 const krb5_type *val,
                                                 int *retlen)
   {
     asn1_setup();

     asn1_addfield(val->last_field, n, asn1_type);
     asn1_addfield(rep->next_to_last_field, n-1, asn1_type);
     ...

     /* for OPTIONAL fields */
     if (rep->field_i == should_not_be_omitted)
       asn1_addfield(rep->field_i, i, asn1_type);

     /* for string fields (these encoders take an additional argument,
        the length of the string) */
     addlenfield(rep->field_length, rep->field, i-1, asn1_type);

     /* if you really have to do things yourself... */
     retval = asn1_encode_asn1_type(buf,rep->field,&length);
     if (retval) return retval;
     sum += length;
     retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, tag_number, length,
                             &length);
     if (retval) return retval;
     sum += length;

     ...
     asn1_addfield(rep->second_field, 1, asn1_type);
     asn1_addfield(rep->first_field, 0, asn1_type);
     asn1_makeseq();

     asn1_cleanup();
   }
#endif

/* asn1_addlenfield -- add a field whose length must be separately specified */
#define asn1_addlenfield(len,value,tag,encoder)\
{ unsigned int length; \
  retval = encoder(buf,len,value,&length);      \
  if (retval) {\
    return retval; }\
  sum += length;\
  retval = asn1_make_etag(buf,CONTEXT_SPECIFIC,tag,length,&length);\
  if (retval) {\
    return retval; }\
  sum += length; }

/* asn1_addfield_implicit -- add an implicitly tagged field, or component, to the encoding */
#define asn1_addfield_implicit(value,tag,encoder)\
{ unsigned int length;\
  retval = encoder(buf,value,&length);\
  if (retval) {\
    return retval; }\
  sum += length;\
  retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,length,&length); \
  if (retval) {\
    return retval; }\
  sum += length; }

/* asn1_insert_implicit_octetstring -- add an octet string with implicit tagging */
#define asn1_insert_implicit_octetstring(len,value,tag)\
{ unsigned int length;\
  retval = asn1buf_insert_octetstring(buf,len,value);\
  if (retval) {\
    return retval; }\
  sum += len;\
  retval = asn1_make_tag(buf,CONTEXT_SPECIFIC,PRIMITIVE,tag,len,&length); \
  if (retval) {\
    return retval; }\
  sum += length; }

/* asn1_insert_implicit_bitstring -- add a bitstring with implicit tagging */
/* needs "length" declared in enclosing context */
#define asn1_insert_implicit_bitstring(len,value,tag)\
{ retval = asn1buf_insert_octetstring(buf,len,value); \
  if (retval) {\
    return retval; }\
  sum += len;\
  retval = asn1buf_insert_octet(buf, 0);\
  if (retval) {\
    return retval; }\
  sum++;\
  retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,tag,len+1,&length); \
  if (retval) {\
    return retval; }\
  sum += length; }

#ifndef DISABLE_PKINIT

/* Callable encoders for the types defined above, until the PKINIT
   encoders get converted.  */
MAKE_ENCFN(asn1_encode_realm, realm_of_principal_data);
MAKE_ENCFN(asn1_encode_principal_name, principal_data);
MAKE_ENCFN(asn1_encode_encryption_key, encryption_key);
MAKE_ENCFN(asn1_encode_checksum, checksum);

static asn1_error_code
asn1_encode_kerberos_time(asn1buf *buf, const krb5_timestamp val,
                          unsigned int *retlen)
{
    return asn1_encode_kerberos_time_at(buf,&val,retlen);
}

/* Now the real PKINIT encoder functions.  */
asn1_error_code asn1_encode_pk_authenticator(asn1buf *buf, const krb5_pk_authenticator *val, unsigned int *retlen)
{
    asn1_setup();
    asn1_addlenfield(val->paChecksum.length, val->paChecksum.contents, 3, asn1_encode_octetstring);
    asn1_addfield(val->nonce, 2, asn1_encode_integer);
    asn1_addfield(val->ctime, 1, asn1_encode_kerberos_time);
    asn1_addfield(val->cusec, 0, asn1_encode_integer);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_pk_authenticator_draft9(asn1buf *buf, const krb5_pk_authenticator_draft9 *val, unsigned int *retlen)
{
    asn1_setup();

    asn1_addfield(val->nonce, 4, asn1_encode_integer);
    asn1_addfield(val->ctime, 3, asn1_encode_kerberos_time);
    asn1_addfield(val->cusec, 2, asn1_encode_integer);
    asn1_addfield(val->kdcName, 1, asn1_encode_realm);
    asn1_addfield(val->kdcName, 0, asn1_encode_principal_name);

    asn1_makeseq();
    asn1_cleanup();
}


asn1_error_code asn1_encode_algorithm_identifier(asn1buf *buf, const krb5_algorithm_identifier *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->parameters.length != 0) {
        retval = asn1buf_insert_octetstring(buf, val->parameters.length,
                                            val->parameters.data);
        if (retval)
            return retval;
        sum += val->parameters.length;
    }

    {
        unsigned int length;
        retval = asn1_encode_oid(buf, val->algorithm.length,
                                 val->algorithm.data,
                                 &length);

        if (retval)
            return retval;
        sum += length;
    }

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_subject_pk_info(asn1buf *buf, const krb5_subject_pk_info *val, unsigned int *retlen)
{
    asn1_setup();

    {
        unsigned int length;
        asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,ASN1_BITSTRING);
    }

    if (val->algorithm.parameters.length != 0) {
        unsigned int length;

        retval = asn1buf_insert_octetstring(buf, val->algorithm.parameters.length,
                                            val->algorithm.parameters.data);
        if (retval)
            return retval;
        sum += val->algorithm.parameters.length;

        retval = asn1_encode_oid(buf, val->algorithm.algorithm.length,
                                 val->algorithm.algorithm.data,
                                 &length);

        if (retval)
            return retval;
        sum += length;


        retval = asn1_make_etag(buf, UNIVERSAL, ASN1_SEQUENCE,
                                val->algorithm.parameters.length + length,
                                &length);

        if (retval)
            return retval;
        sum += length;
    }

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_sequence_of_algorithm_identifier(asn1buf *buf, const krb5_algorithm_identifier **val, unsigned int *retlen)
{
    asn1_setup();
    int i;

    if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;

    for (i=0; val[i] != NULL; i++);
    for (i--; i>=0; i--) {
        unsigned int length;
        retval = asn1_encode_algorithm_identifier(buf,val[i],&length);
        if (retval) return retval;
        sum += length;
    }
    asn1_makeseq();

    asn1_cleanup();
}

asn1_error_code asn1_encode_auth_pack(asn1buf *buf, const krb5_auth_pack *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->clientDHNonce.length != 0)
        asn1_addlenfield(val->clientDHNonce.length, val->clientDHNonce.data, 3, asn1_encode_octetstring);
    if (val->supportedCMSTypes != NULL)
        asn1_addfield((const krb5_algorithm_identifier **)val->supportedCMSTypes,2,asn1_encode_sequence_of_algorithm_identifier);
    if (val->clientPublicValue != NULL)
        asn1_addfield(val->clientPublicValue,1,asn1_encode_subject_pk_info);
    asn1_addfield(&(val->pkAuthenticator),0,asn1_encode_pk_authenticator);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_auth_pack_draft9(asn1buf *buf, const krb5_auth_pack_draft9 *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->clientPublicValue != NULL)
        asn1_addfield(val->clientPublicValue, 1, asn1_encode_subject_pk_info);
    asn1_addfield(&(val->pkAuthenticator), 0, asn1_encode_pk_authenticator_draft9);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_external_principal_identifier(asn1buf *buf, const krb5_external_principal_identifier *val, unsigned int *retlen)
{
    asn1_setup();

    /* Verify there is something to encode */
    if (val->subjectKeyIdentifier.length == 0 && val->issuerAndSerialNumber.length == 0 && val->subjectName.length == 0)
        return ASN1_MISSING_FIELD;

    if (val->subjectKeyIdentifier.length != 0)
        asn1_insert_implicit_octetstring(val->subjectKeyIdentifier.length,val->subjectKeyIdentifier.data,2);

    if (val->issuerAndSerialNumber.length != 0)
        asn1_insert_implicit_octetstring(val->issuerAndSerialNumber.length,val->issuerAndSerialNumber.data,1);

    if (val->subjectName.length != 0)
        asn1_insert_implicit_octetstring(val->subjectName.length,val->subjectName.data,0);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_sequence_of_external_principal_identifier(asn1buf *buf, const krb5_external_principal_identifier **val, unsigned int *retlen)
{
    asn1_setup();
    int i;

    if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;

    for (i=0; val[i] != NULL; i++);
    for (i--; i>=0; i--) {
        unsigned int length;
        retval = asn1_encode_external_principal_identifier(buf,val[i],&length);
        if (retval) return retval;
        sum += length;
    }
    asn1_makeseq();

    asn1_cleanup();
}

asn1_error_code asn1_encode_pa_pk_as_req(asn1buf *buf, const krb5_pa_pk_as_req *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->kdcPkId.length != 0)
        asn1_insert_implicit_octetstring(val->kdcPkId.length,val->kdcPkId.data,2);

    if (val->trustedCertifiers != NULL)
        asn1_addfield((const krb5_external_principal_identifier **)val->trustedCertifiers,1,asn1_encode_sequence_of_external_principal_identifier);

    asn1_insert_implicit_octetstring(val->signedAuthPack.length,val->signedAuthPack.data,0);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_trusted_ca(asn1buf *buf, const krb5_trusted_ca *val, unsigned int *retlen)
{
    asn1_setup();

    switch (val->choice) {
    case choice_trusted_cas_issuerAndSerial:
        asn1_insert_implicit_octetstring(val->u.issuerAndSerial.length,val->u.issuerAndSerial.data,2);
        break;
    case choice_trusted_cas_caName:
        asn1_insert_implicit_octetstring(val->u.caName.length,val->u.caName.data,1);
        break;
    case choice_trusted_cas_principalName:
        asn1_addfield_implicit(val->u.principalName,0,asn1_encode_principal_name);
        break;
    default:
        return ASN1_MISSING_FIELD;
    }

    asn1_cleanup();
}

asn1_error_code asn1_encode_sequence_of_trusted_ca(asn1buf *buf, const krb5_trusted_ca **val, unsigned int *retlen)
{
    asn1_setup();
    int i;

    if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;

    for (i=0; val[i] != NULL; i++);
    for (i--; i>=0; i--) {
        unsigned int length;
        retval = asn1_encode_trusted_ca(buf,val[i],&length);
        if (retval) return retval;
        sum += length;
    }
    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_pa_pk_as_req_draft9(asn1buf *buf, const krb5_pa_pk_as_req_draft9 *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->encryptionCert.length != 0)
        asn1_insert_implicit_octetstring(val->encryptionCert.length,val->encryptionCert.data,3);

    if (val->kdcCert.length != 0)
        asn1_insert_implicit_octetstring(val->kdcCert.length,val->kdcCert.data,2);

    if (val->trustedCertifiers != NULL)
        asn1_addfield((const krb5_trusted_ca **)val->trustedCertifiers,1,asn1_encode_sequence_of_trusted_ca);

    asn1_insert_implicit_octetstring(val->signedAuthPack.length,val->signedAuthPack.data,0);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_dh_rep_info(asn1buf *buf, const krb5_dh_rep_info *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->serverDHNonce.length != 0)
        asn1_insert_implicit_octetstring(val->serverDHNonce.length,val->serverDHNonce.data,1);

    asn1_insert_implicit_octetstring(val->dhSignedData.length,val->dhSignedData.data,0);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_kdc_dh_key_info(asn1buf *buf, const krb5_kdc_dh_key_info *val, unsigned int *retlen)
{
    asn1_setup();

    if (val->dhKeyExpiration != 0)
        asn1_addfield(val->dhKeyExpiration, 2, asn1_encode_kerberos_time);
    asn1_addfield(val->nonce, 1, asn1_encode_integer);

    {
        unsigned int length;

        asn1_insert_implicit_bitstring(val->subjectPublicKey.length,val->subjectPublicKey.data,3);
        retval = asn1_make_etag(buf, CONTEXT_SPECIFIC, 0,
                                val->subjectPublicKey.length + 1 + length,
                                &length);
        if (retval)
            return retval;
        sum += length;
    }

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_reply_key_pack(asn1buf *buf, const krb5_reply_key_pack *val, unsigned int *retlen)
{
    asn1_setup();

    asn1_addfield(&(val->asChecksum), 1, asn1_encode_checksum);
    asn1_addfield(&(val->replyKey), 0, asn1_encode_encryption_key);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_reply_key_pack_draft9(asn1buf *buf, const krb5_reply_key_pack_draft9 *val, unsigned int *retlen)
{
    asn1_setup();

    asn1_addfield(val->nonce, 1, asn1_encode_integer);
    asn1_addfield(&(val->replyKey), 0, asn1_encode_encryption_key);

    asn1_makeseq();
    asn1_cleanup();
}

asn1_error_code asn1_encode_pa_pk_as_rep(asn1buf *buf, const krb5_pa_pk_as_rep *val, unsigned int *retlen)
{
    asn1_setup();

    switch (val->choice)
    {
    case choice_pa_pk_as_rep_dhInfo:
        asn1_addfield(&(val->u.dh_Info), choice_pa_pk_as_rep_dhInfo, asn1_encode_dh_rep_info);
        break;
    case choice_pa_pk_as_rep_encKeyPack:
        asn1_insert_implicit_octetstring(val->u.encKeyPack.length,val->u.encKeyPack.data,1);
        break;
    default:
        return ASN1_MISSING_FIELD;
    }

    asn1_cleanup();
}

asn1_error_code asn1_encode_pa_pk_as_rep_draft9(asn1buf *buf, const krb5_pa_pk_as_rep_draft9 *val, unsigned int *retlen)
{
    asn1_setup();

    switch (val->choice)
    {
    case choice_pa_pk_as_rep_draft9_dhSignedData:
        asn1_insert_implicit_octetstring(val->u.dhSignedData.length,val->u.dhSignedData.data,0);
        break;
    case choice_pa_pk_as_rep_encKeyPack:
        asn1_insert_implicit_octetstring(val->u.encKeyPack.length,val->u.encKeyPack.data,1);
        break;
    default:
        return ASN1_MISSING_FIELD;
    }

    asn1_cleanup();
}

asn1_error_code asn1_encode_td_trusted_certifiers(asn1buf *buf, const krb5_external_principal_identifier **val, unsigned int *retlen)
{
    asn1_setup();
    {
        unsigned int length;
        retval = asn1_encode_sequence_of_external_principal_identifier(buf, val, &length);
        if (retval)
            return retval;
        /* length set but ignored?  sum not updated?  */
    }
    asn1_cleanup();
}

#endif /* DISABLE_PKINIT */

asn1_error_code asn1_encode_sequence_of_typed_data(asn1buf *buf, const krb5_typed_data **val, unsigned int *retlen)
{
    asn1_setup();
    int i;

    if (val == NULL || val[0] == NULL) return ASN1_MISSING_FIELD;

    for (i=0; val[i] != NULL; i++);
    for (i--; i>=0; i--) {
        unsigned int length;

        retval = asn1_encode_typed_data(buf,val[i],&length);
        if (retval) return retval;
        sum += length;
    }
    asn1_makeseq();

    asn1_cleanup();
}

asn1_error_code asn1_encode_typed_data(asn1buf *buf, const krb5_typed_data *val, unsigned int *retlen)
{
    asn1_setup();
    asn1_addlenfield(val->length, val->data, 1, asn1_encode_octetstring);
    asn1_addfield(val->type, 0, asn1_encode_integer);
    asn1_makeseq();
    asn1_cleanup();
}