879 bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; |
883 bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; |
880 } |
884 } |
881 bFlags[Krb5.TKT_OPTS_INITIAL] = true; |
885 bFlags[Krb5.TKT_OPTS_INITIAL] = true; |
882 |
886 |
883 // Creating PA-DATA |
887 // Creating PA-DATA |
884 int[] epas = eTypes; |
888 DerValue[] pas2 = null, pas = null; |
885 if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) { |
889 if (options.containsKey(KDC.Option.DUP_ETYPE)) { |
886 for (int i=1; i<epas.length; i++) { |
890 int n = (Integer)options.get(KDC.Option.DUP_ETYPE); |
887 if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) { |
891 switch (n) { |
888 epas[i] = epas[0]; |
892 case 1: // customer's case in 7067974 |
889 epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC; |
893 pas2 = new DerValue[] { |
|
894 new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), |
|
895 new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), |
|
896 new DerValue(new ETypeInfo2(1, OneKDC.REALM, new byte[]{1}).asn1Encode()), |
|
897 }; |
|
898 pas = new DerValue[] { |
|
899 new DerValue(new ETypeInfo(1, null).asn1Encode()), |
|
900 new DerValue(new ETypeInfo(1, "").asn1Encode()), |
|
901 new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
|
902 }; |
|
903 break; |
|
904 case 2: // we still reject non-null s2kparams and prefer E2 over E |
|
905 pas2 = new DerValue[] { |
|
906 new DerValue(new ETypeInfo2(1, OneKDC.REALM, new byte[]{1}).asn1Encode()), |
|
907 new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), |
|
908 new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), |
|
909 }; |
|
910 pas = new DerValue[] { |
|
911 new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
|
912 new DerValue(new ETypeInfo(1, null).asn1Encode()), |
|
913 new DerValue(new ETypeInfo(1, "").asn1Encode()), |
|
914 }; |
|
915 break; |
|
916 case 3: // but only E is wrong |
|
917 pas = new DerValue[] { |
|
918 new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
|
919 new DerValue(new ETypeInfo(1, null).asn1Encode()), |
|
920 new DerValue(new ETypeInfo(1, "").asn1Encode()), |
|
921 }; |
|
922 break; |
|
923 case 4: // we also ignore rc4-hmac |
|
924 pas = new DerValue[] { |
|
925 new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()), |
|
926 new DerValue(new ETypeInfo(1, null).asn1Encode()), |
|
927 new DerValue(new ETypeInfo(1, "").asn1Encode()), |
|
928 }; |
|
929 break; |
|
930 case 5: // "" should be wrong, but we accept it now |
|
931 // See s.s.k.internal.PAData$SaltAndParams |
|
932 pas = new DerValue[] { |
|
933 new DerValue(new ETypeInfo(1, "").asn1Encode()), |
|
934 new DerValue(new ETypeInfo(1, null).asn1Encode()), |
|
935 }; |
|
936 break; |
|
937 } |
|
938 } else { |
|
939 int[] epas = eTypes; |
|
940 if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) { |
|
941 for (int i=1; i<epas.length; i++) { |
|
942 if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) { |
|
943 epas[i] = epas[0]; |
|
944 epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC; |
|
945 break; |
|
946 } |
|
947 }; |
|
948 } else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) { |
|
949 epas = new int[] { eTypes[0] }; |
|
950 } |
|
951 pas2 = new DerValue[epas.length]; |
|
952 for (int i=0; i<epas.length; i++) { |
|
953 pas2[i] = new DerValue(new ETypeInfo2( |
|
954 epas[i], |
|
955 epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
|
956 null : getSalt(body.cname), |
|
957 null).asn1Encode()); |
|
958 } |
|
959 boolean allOld = true; |
|
960 for (int i: eTypes) { |
|
961 if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || |
|
962 i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) { |
|
963 allOld = false; |
890 break; |
964 break; |
891 } |
965 } |
892 }; |
966 } |
893 } else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) { |
967 if (allOld) { |
894 epas = new int[] { eTypes[0] }; |
968 pas = new DerValue[epas.length]; |
895 } |
969 for (int i=0; i<epas.length; i++) { |
896 |
970 pas[i] = new DerValue(new ETypeInfo( |
897 DerValue[] pas = new DerValue[epas.length]; |
971 epas[i], |
898 for (int i=0; i<epas.length; i++) { |
972 epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
899 pas[i] = new DerValue(new ETypeInfo2( |
973 null : getSalt(body.cname) |
900 epas[i], |
974 ).asn1Encode()); |
901 epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
975 } |
902 null : getSalt(body.cname), |
976 } |
903 null).asn1Encode()); |
977 } |
904 } |
978 |
905 DerOutputStream eid = new DerOutputStream(); |
979 DerOutputStream eid; |
906 eid.putSequence(pas); |
980 if (pas2 != null) { |
907 |
981 eid = new DerOutputStream(); |
908 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray())); |
982 eid.putSequence(pas2); |
909 |
983 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray())); |
910 boolean allOld = true; |
984 } |
911 for (int i: eTypes) { |
985 if (pas != null) { |
912 if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || |
|
913 i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) { |
|
914 allOld = false; |
|
915 break; |
|
916 } |
|
917 } |
|
918 if (allOld) { |
|
919 for (int i=0; i<epas.length; i++) { |
|
920 pas[i] = new DerValue(new ETypeInfo( |
|
921 epas[i], |
|
922 epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
|
923 null : getSalt(body.cname) |
|
924 ).asn1Encode()); |
|
925 } |
|
926 eid = new DerOutputStream(); |
986 eid = new DerOutputStream(); |
927 eid.putSequence(pas); |
987 eid.putSequence(pas); |
928 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray())); |
988 outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray())); |
929 } |
989 } |
930 |
990 |