Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Rex
4
  module Proto
5
    module Kerberos
6
      module Model
7
        # Based on https://datatracker.ietf.org/doc/html/rfc6806.html#section-11
8
        #    EncKDCRepPart   ::= SEQUENCE {
9
        #            key             [0] EncryptionKey,
10
        #            last-req        [1] LastReq,
11
        #            nonce           [2] UInt32,
12
        #            key-expiration  [3] KerberosTime OPTIONAL,
13
        #            flags           [4] TicketFlags,
14
        #            authtime        [5] KerberosTime,
15
        #            starttime       [6] KerberosTime OPTIONAL,
16
        #            endtime         [7] KerberosTime,
17
        #            renew-till      [8] KerberosTime OPTIONAL,
18
        #            srealm          [9] Realm,
19
        #            sname           [10] PrincipalName,
20
        #            caddr           [11] HostAddresses OPTIONAL
21
        #            encrypted-pa-data [12] SEQUENCE OF PA-DATA OPTIONAL
22
        #    }
23
        class EncKdcResponse < Element
24
          # @!attribute key
25
          #   @return [Rex::Proto::Kerberos::Model::EncryptionKey] The session key
26
          attr_accessor :key
27
          # @!attribute last_req
28
          #   @return [Array<Rex::Proto::Kerberos::Model::LastRequest>] This field is returned by the KDC and specifies the time(s)
29
          #   of the last request by a principal
30
          attr_accessor :last_req
31
          # @!attribute nonce
32
          #   @return [Integer] random number
33
          attr_accessor :nonce
34
          # @!attribute key_expiration
35
          #   @return [Time] The key-expiration field is part of the response from the
36
          #   KDC and specifies the time that the client's secret key is due to expire
37
          attr_accessor :key_expiration
38
          # @!attribute flags
39
          #   @return [Rex::Proto::Kerberos::Model::KdcOptionFlags] This field indicates which of various options were used or
40
          #   requested when the ticket was issued
41
          attr_accessor :flags
42
          # @!attribute auth_time
43
          #   @return [Time] the time of initial authentication for the named principal
44
          attr_accessor :auth_time
45
          # @!attribute start_time
46
          #   @return [Time] Specifies the time after which the ticket is valid
47
          attr_accessor :start_time
48
          # @!attribute end_time
49
          #   @return [Time] This field contains the time after which the ticket will
50
          #   not be honored (its expiration time)
51
          attr_accessor :end_time
52
          # @!attribute renew_till
53
          #   @return [Time] This field is only present in tickets that have the
54
          #   RENEWABLE flag set in the flags field.  It indicates the maximum
55
          #   endtime that may be included in a renewal
56
          attr_accessor :renew_till
57
          # @!attribute srealm
58
          #   @return [String] The realm part of the server's principal identifier
59
          attr_accessor :srealm
60
          # @!attribute sname
61
          #   @return [Rex::Proto::Kerberos::Model::PrincipalName] The name part of the server's identity
62
          attr_accessor :sname
63
          # @!attribute caddr
64
          #   @return [Rex::Proto::Kerberos::Model::HostAddress] These are the addresses from which the ticket can be used
65
          attr_accessor :caddr
66
          # @!attribute pa_data
67
          #   @return [Array<Rex::Proto::Kerberos::Model::PreAuthDataEntry>,nil] An array of PreAuthDataEntry. nil if not present.
68
          attr_accessor :pa_data
69

70
          # Decodes the Rex::Proto::Kerberos::Model::EncKdcResponse from an input
71
          #
72
          # @param input [String, OpenSSL::ASN1::ASN1Data] the input to decode from
73
          # @return [self] if decoding succeeds
74
          # @raise [Rex::Proto::Kerberos::Model::Error::KerberosDecodingError] if decoding doesn't succeed
75
          def decode(input)
76
            case input
77
            when String
78
              decode_string(input)
79
            when OpenSSL::ASN1::ASN1Data
80
              decode_asn1(input)
81
            else
82
              raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, 'Failed to decode EncKdcResponse, invalid input'
83
            end
84

85
            self
86
          end
87

88
          # Rex::Proto::Kerberos::Model::EncKdcResponse encoding isn't supported
89
          #
90
          # @raise [NotImplementedError]
91
          def encode
92
            raise ::NotImplementedError, 'EncKdcResponse encoding not supported'
93
          end
94

95
          private
96

97
          # Decodes a Rex::Proto::Kerberos::Model::EncKdcResponse from an String
98
          #
99
          # @param input [String] the input to decode from
100
          def decode_string(input)
101
            asn1 = OpenSSL::ASN1.decode(input)
102

103
            decode_asn1(asn1)
104
          end
105

106
          # Decodes a Rex::Proto::Kerberos::Model::EncKdcResponse
107
          #
108
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
109
          # @raise [Rex::Proto::Kerberos::Model::Error::KerberosDecodingError] if decoding doesn't succeed
110
          def decode_asn1(input)
111
            input.value[0].value.each do |val|
112
              case val.tag
113
              when 0
114
                self.key = decode_key(val)
115
              when 1
116
                self.last_req = decode_last_req(val)
117
              when 2
118
                self.nonce = decode_nonce(val)
119
              when 3
120
                self.key_expiration = decode_key_expiration(val)
121
              when 4
122
                self.flags = decode_flags(val)
123
              when 5
124
                self.auth_time = decode_auth_time(val)
125
              when 6
126
                self.start_time = decode_start_time(val)
127
              when 7
128
                self.end_time = decode_end_time(val)
129
              when 8
130
                self.renew_till = decode_renew_till(val)
131
              when 9
132
                self.srealm = decode_srealm(val)
133
              when 10
134
                self.sname = decode_sname(val)
135
              when 11
136
                self.caddr = decode_caddr(val)
137
              when 12
138
                self.pa_data = decode_pa_data(val)
139
              else
140
                raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, "Failed to decode tag #{val.tag.inspect} in ENC-KDC-RESPONSE SEQUENCE"
141
              end
142
            end
143
          end
144

145
          # Decodes the key from an OpenSSL::ASN1::ASN1Data
146
          #
147
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
148
          # @return [EncryptionKey]
149
          def decode_key(input)
150
            Rex::Proto::Kerberos::Model::EncryptionKey.decode(input.value[0])
151
          end
152

153
          # Decodes the last_req from an OpenSSL::ASN1::ASN1Data
154
          #
155
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
156
          # @return [Array<Rex::Proto::Kerberos::Model::LastRequest>]
157
          def decode_last_req(input)
158
            last_requests = []
159
            input.value[0].value.each do |last_request|
160
              last_requests << Rex::Proto::Kerberos::Model::LastRequest.decode(last_request)
161
            end
162

163
            last_requests
164
          end
165

166
          # Decodes the nonce field
167
          #
168
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
169
          # @return [Integer]
170
          def decode_nonce(input)
171
            input.value[0].value.to_i
172
          end
173

174
          # Decodes the key_expiration field
175
          #
176
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
177
          # @return [Time]
178
          def decode_key_expiration(input)
179
            input.value[0].value
180
          end
181

182
          # Decodes the flags field
183
          #
184
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
185
          # @return [Rex::Proto::Kerberos::Model::KdcOptionFlags]
186
          def decode_flags(input)
187
            flags = input.value[0].value.unpack1('N')
188
            # == OpenSSL::ASN1::BitString
189
            #
190
            # === Additional attributes
191
            # _unused_bits_: if the underlying BIT STRING's
192
            # length is a multiple of 8 then _unused_bits_ is 0. Otherwise
193
            # _unused_bits_ indicates the number of bits that are to be ignored in
194
            # the final octet of the BitString's _value_.
195
            unused_bits = input.value[0].unused_bits
196
            flags >>= unused_bits
197
            Rex::Proto::Kerberos::Model::KdcOptionFlags.new(flags)
198
          end
199

200
          # Decodes the auth_time field
201
          #
202
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
203
          # @return [Time]
204
          def decode_auth_time(input)
205
            input.value[0].value
206
          end
207

208
          # Decodes the start_time field
209
          #
210
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
211
          # @return [Time]
212
          def decode_start_time(input)
213
            input.value[0].value
214
          end
215

216
          # Decodes the end_time field
217
          #
218
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
219
          # @return [Time]
220
          def decode_end_time(input)
221
            input.value[0].value
222
          end
223

224
          # Decodes the renew_till field
225
          #
226
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
227
          # @return [Time]
228
          def decode_renew_till(input)
229
            input.value[0].value
230
          end
231

232
          # Decodes the srealm field
233
          #
234
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
235
          # @return [String]
236
          def decode_srealm(input)
237
            input.value[0].value
238
          end
239

240
          # Decodes the sname field
241
          #
242
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
243
          # @return [Rex::Proto::Kerberos::Type::PrincipalName]
244
          def decode_sname(input)
245
            Rex::Proto::Kerberos::Model::PrincipalName.decode(input.value[0])
246
          end
247

248
          # Decodes the caddr field
249
          #
250
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
251
          # @return [Array<Rex::Proto::Model::HostAddress>]
252
          def decode_caddr(input)
253
            caddr = []
254
            input.value[0].value.each do |host_address_data|
255
              caddr << Rex::Proto::Kerberos::Model::HostAddress.decode(host_address_data)
256
            end
257
            caddr
258
          end
259

260
          # Decodes the pa_data field
261
          #
262
          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
263
          # @return [Array<Rex::Proto::Kerberos::Model::PreAuthDataEntry>]
264
          def decode_pa_data(input)
265
            pre_auth = []
266
            input.value[0].value.each do |pre_auth_data|
267
              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
268
            end
269

270
            pre_auth
271
          end
272
        end
273
      end
274
    end
275
  end
276
end
277

278