Skip to content
Browse files

ticket: 7061

subject: Fix PKINIT serverDHNonce encoding

Use an explicit tag for serverDHNonce, as specified in RFC 4556,
rather than the implicit tag we historically used.  This bug had no
practical effect (and creates no interoperability issues) because we
never generate a serverDHNonce.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information...
1 parent fc741d7 commit ec90db598dc87e8d63cdfd905bed80368b6679e1 ghudson committed Jan 8, 2012
Showing with 3 additions and 10 deletions.
  1. +1 −7 src/lib/krb5/asn.1/asn1_k_encode.c
  2. +1 −1 src/tests/asn.1/pkinit_encode.out
  3. +1 −2 src/tests/asn.1/pkinit_trval.out
View
8 src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1574,15 +1574,9 @@ dh_rep_info_optional(const void *p)
return optional;
}
-/*
- * RFC 4556 specifies serverDHNonce as an explicitly tagged octet string.
- * Historically we encode it as an implicitly tagged octet string. This may be
- * harmless (and fixable) since we don't appear to include a serverDHNonce in
- * our PKINIT server code, but we would want to change this carefully.
- */
static const struct field_info dh_rep_info_fields[] = {
FIELDOF_NORM(krb5_dh_rep_info, ostring_data, dhSignedData, 0, 1),
- FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 1, 1),
+ FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 0, 1),
FIELDOF_OPT(krb5_dh_rep_info, kdf_alg_id_ptr, kdfID, 2, 0, 2),
};
DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info,
View
2 src/tests/asn.1/pkinit_encode.out
@@ -1,6 +1,6 @@
encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(dhInfo): A0 26 30 24 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
+encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
View
3 src/tests/asn.1/pkinit_trval.out
@@ -38,8 +38,7 @@ encode_krb5_pa_pk_as_rep(dhInfo):
. [Sequence/Sequence Of]
. . [0] <8>
6b 72 62 35 64 61 74 61 krb5data
-. . [1] <8>
- 6b 72 62 35 64 61 74 61 krb5data
+. . [1] [Octet String] "krb5data"
. . [2] [Sequence/Sequence Of]
. . . [0] [Object Identifier] <8>
6b 72 62 35 64 61 74 61 krb5data

0 comments on commit ec90db5

Please sign in to comment.
Something went wrong with that request. Please try again.