secdev · gpotter2 · Sep 21, 2025 · Sep 25, 2025 · Sep 25, 2025 · Oct 19, 2025
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -1,7 +1,7 @@
 name: CIFuzz
 
 on:
-  pull_request:
+  push:
     branches: [master]
 
 permissions:

diff --git a/doc/scapy/layers/kerberos.rst b/doc/scapy/layers/kerberos.rst
@@ -41,11 +41,11 @@ This section tries to give many usage examples, but isn't exhaustive. For more d
     >>> t.show()
     Tickets:
     0. Administrator@DOMAIN.LOCAL -> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
-    Start time         End time           Renew until        Auth time        
+    Start time         End time           Renew until        Auth time
     31/08/23 11:38:34  31/08/23 21:38:34  31/08/23 21:38:35  31/08/23 01:38:34
 
     1. Administrator@DOMAIN.LOCAL -> host/dc1.domain.local@DOMAIN.LOCAL
-    Start time         End time           Renew until        Auth time        
+    Start time         End time           Renew until        Auth time
     31/08/23 11:39:07  31/08/23 21:38:34  31/08/23 21:38:35  31/08/23 01:38:34
 
 
@@ -68,12 +68,41 @@ This section tries to give many usage examples, but isn't exhaustive. For more d
     >>> # Using the AES-256-SHA1-96 Kerberos Key
    >>> t.request_tgt("Administrator@domain.local", key=Key(EncryptionType.AES256_CTS_HMAC_SHA1_96, bytes.fromhex("63a2577d8bf6abeba0847cded36b9aed202c23750eb9c56b6155be1cc946bb1d")))
 
+- **Request a TGT using PKINIT**:
+
+.. code:: pycon
+
+    >>> from scapy.libs.rfc3961 import EncryptionType
+    >>> load_module("ticketer")
+    >>> t = Ticketer()
+    >>> # If P12:
+    >>> t.request_tgt("Administrator@DOMAIN.LOCAL", p12="admin.pfx", ca="ca.pem")
+    >>> # One could also have used a different cert and key file:
+    >>> t.request_tgt("Administrator@DOMAIN.LOCAL", x509="admin.cert", x509key="admin.key", ca="ca.pem")
+
+- **Request a user TGT with Kerberos armoring (FAST)**
+
+The ``armor_with`` keyword allows to select a ticket to armor the request with.
+
+.. code:: pycon
+
+    >>> load_module("ticketer")
+    >>> t = Ticketer()
+    >>> t.request_tgt("Machine01$@DOMAIN.LOCAL", key=Key(EncryptionType.RC4_HMAC, bytes.fromhex("2b576acbe6bcfda7294d6bd18041b8fe")))
+    >>> t.show()
+    Tickets:
+    0. Machine01$@DOMAIN.LOCAL -> krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
+    Start time         End time           Renew until        Auth time
+    31/08/23 11:38:34  31/08/23 21:38:34  31/08/23 21:38:35  31/08/23 01:38:34
+    >>> t.request_tgt("Administrator@domain.local", armor_with=0)  # Armor with ticket n°0
+
 - **Renew a TGT or ST**:
 
 .. code::
 
     >>> t.renew(0)  # renew TGT
     >>> t.renew(1)  # renew ST. Works only with 'host/' SPNs
+    >>> t.renew(1, armor_with=0)  # renew something with armoring
 
 - **Import tickets from a ccache**:
 

diff --git a/scapy/asn1/mib.py b/scapy/asn1/mib.py
@@ -284,16 +284,24 @@ def load_mib(filenames):
     "1.3.101.113": "Ed448",
 }
 
+#       pkcs3       #
+
+pkcs3_oids = {
+    "1.2.840.113549.1.3": "pkcs-3",
+    "1.2.840.113549.1.3.1": "dhKeyAgreement",
+}
+
 #       pkcs7       #
 
 pkcs7_oids = {
+    "1.2.840.113549.1.7": "pkcs-7",
     "1.2.840.113549.1.7.2": "id-signedData",
 }
 
 #       pkcs9       #
 
 pkcs9_oids = {
-    "1.2.840.113549.1.9": "pkcs9",
+    "1.2.840.113549.1.9": "pkcs-9",
     "1.2.840.113549.1.9.0": "modules",
     "1.2.840.113549.1.9.1": "emailAddress",
     "1.2.840.113549.1.9.2": "unstructuredName",
@@ -724,6 +732,7 @@ def load_mib(filenames):
     secsig_oids,
     nist_oids,
     thawte_oids,
+    pkcs3_oids,
     pkcs7_oids,
     pkcs9_oids,
     attributeType_oids,

diff --git a/scapy/asn1fields.py b/scapy/asn1fields.py
@@ -31,7 +31,6 @@
     BER_tagging_enc,
 )
 from scapy.base_classes import BasePacket
-from scapy.compat import raw
 from scapy.volatile import (
     GeneralizedTime,
     RandChoice,
@@ -599,7 +598,7 @@ def build(self, pkt):
         elif val is None:
             s = b""
         else:
-            s = b"".join(raw(i) for i in val)
+            s = b"".join(bytes(i) for i in val)
         return self.i2m(pkt, s)
 
     def i2repr(self, pkt, x):
@@ -642,6 +641,9 @@ class ASN1F_TIME_TICKS(ASN1F_INTEGER):
 #############################
 
 class ASN1F_optional(ASN1F_element):
+    """
+    ASN.1 field that is optional.
+    """
     def __init__(self, field):
         # type: (ASN1F_field[Any, Any]) -> None
         field.flexible_tag = False
@@ -682,6 +684,20 @@ def i2repr(self, pkt, x):
         return self._field.i2repr(pkt, x)
 
 
+class ASN1F_omit(ASN1F_field[None, None]):
+    """
+    ASN.1 field that is not specified. This is simply omitted on the network.
+    This is different from ASN1F_NULL which has a network representation.
+    """
+    def m2i(self, pkt, s):
+        # type: (ASN1_Packet, bytes) -> Tuple[None, bytes]
+        return None, s
+
+    def i2m(self, pkt, x):
+        # type: (ASN1_Packet, Optional[bytes]) -> bytes
+        return b""
+
+
 _CHOICE_T = Union['ASN1_Packet', Type[ASN1F_field[Any, Any]], 'ASN1F_PACKET']
 
 
@@ -769,7 +785,7 @@ def i2m(self, pkt, x):
         if x is None:
             s = b""
         else:
-            s = raw(x)
+            s = bytes(x)
             if hash(type(x)) in self.pktchoices:
                 imp, exp = self.pktchoices[hash(type(x))]
                 s = BER_tagging_enc(s,
@@ -852,11 +868,11 @@ def i2m(self,
             s = x
         elif isinstance(x, ASN1_Object):
             if x.val:
-                s = raw(x.val)
+                s = bytes(x.val)
             else:
                 s = b""
         else:
-            s = raw(x)
+            s = bytes(x)
             if not hasattr(x, "ASN1_root"):
                 # A normal Packet (!= ASN1)
                 return s
@@ -897,7 +913,7 @@ def __init__(self,
         self.cls = cls
         super(ASN1F_BIT_STRING_ENCAPS, self).__init__(  # type: ignore
             name,
-            default and raw(default),
+            default and bytes(default),
             context=context,
             implicit_tag=implicit_tag,
             explicit_tag=explicit_tag

diff --git a/scapy/layers/dcerpc.py b/scapy/layers/dcerpc.py
@@ -451,6 +451,14 @@ class RPC_C_AUTHN_LEVEL(IntEnum):
 DCE_C_AUTHN_LEVEL = RPC_C_AUTHN_LEVEL  # C706 name
 
 
+class RPC_C_IMP_LEVEL(IntEnum):
+    DEFAULT = 0x0
+    ANONYMOUS = 0x1
+    IDENTIFY = 0x2
+    IMPERSONATE = 0x3
+    DELEGATE = 0x4
+
+
 # C706 sect 13.2.6.1
 
 
@@ -2766,9 +2774,9 @@ def __init__(self, *args, **kwargs):
         self.ssp = kwargs.pop("ssp", None)
         self.sspcontext = kwargs.pop("sspcontext", None)
         self.auth_level = kwargs.pop("auth_level", None)
-        self.auth_context_id = kwargs.pop("auth_context_id", 0)
         self.sent_cont_ids = []
         self.cont_id = 0  # Currently selected context
+        self.auth_context_id = 0  # Currently selected authentication context
         self.map_callid_opnum = {}
         self.frags = collections.defaultdict(lambda: b"")
         self.sniffsspcontexts = {}  # Unfinished contexts for passive
@@ -3283,7 +3291,6 @@ def __init__(self, *args, **kwargs):
         self.session = DceRpcSession(
             ssp=kwargs.pop("ssp", None),
             auth_level=kwargs.pop("auth_level", None),
-            auth_context_id=kwargs.pop("auth_context_id", None),
             support_header_signing=kwargs.pop("support_header_signing", True),
         )
         super(DceRpcSocket, self).__init__(*args, **kwargs)

diff --git a/scapy/layers/http.py b/scapy/layers/http.py
@@ -763,6 +763,7 @@ class HTTP_Client(object):
     :param ssl: whether to use HTTPS or not
     :param ssp: the SSP object to use for binding
     :param no_check_certificate: with SSL, do not check the certificate
+    :param no_chan_bindings: force disable sending the channel bindings
     """
 
     def __init__(
@@ -772,6 +773,7 @@ def __init__(
         sslcontext=None,
         ssp=None,
         no_check_certificate=False,
+        no_chan_bindings=False,
     ):
         self.sock = None
         self._sockinfo = None
@@ -781,6 +783,7 @@ def __init__(
         self.ssp = ssp
         self.sspcontext = None
         self.no_check_certificate = no_check_certificate
+        self.no_chan_bindings = no_chan_bindings
         self.chan_bindings = GSS_C_NO_CHANNEL_BINDINGS
 
     def _connect_or_reuse(self, host, port=None, tls=False, timeout=5):
@@ -823,7 +826,7 @@ def _connect_or_reuse(self, host, port=None, tls=False, timeout=5):
             else:
                 context = self.sslcontext
             sock = context.wrap_socket(sock, server_hostname=host)
-            if self.ssp:
+            if self.ssp and not self.no_chan_bindings:
                 # Compute the channel binding token (CBT)
                 self.chan_bindings = GssChannelBindings.fromssl(
                     ChannelBindingType.TLS_SERVER_END_POINT,