ticket: 7061

subject: Fix PKINIT serverDHNonce encoding Use an explicit tag for serverDHNonce, as specified in RFC 4556, rather than the implicit tag we historically used. This bug had no practical effect (and creates no interoperability issues) because we never generate a serverDHNonce. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Jan 8, 2012 · ec90db5 · ec90db5
1 parent fc741d7
commit ec90db5
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 10 deletions.
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1574,15 +1574,9 @@ dh_rep_info_optional(const void *p)
     return optional;
 }
 
-/*
- * RFC 4556 specifies serverDHNonce as an explicitly tagged octet string.
- * Historically we encode it as an implicitly tagged octet string.  This may be
- * harmless (and fixable) since we don't appear to include a serverDHNonce in
- * our PKINIT server code, but we would want to change this carefully.
- */
 static const struct field_info dh_rep_info_fields[] = {
     FIELDOF_NORM(krb5_dh_rep_info, ostring_data, dhSignedData, 0, 1),
-    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 1, 1),
+    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 0, 1),
     FIELDOF_OPT(krb5_dh_rep_info, kdf_alg_id_ptr, kdfID, 2, 0, 2),
 };
 DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info,

diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
@@ -1,6 +1,6 @@
 encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(dhInfo): A0 26 30 24 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
+encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61

diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
@@ -38,8 +38,7 @@ encode_krb5_pa_pk_as_rep(dhInfo):
 .  [Sequence/Sequence Of] 
 .  .  [0] <8>
          6b 72 62 35 64 61 74 61                          krb5data
-.  .  [1] <8>
-         6b 72 62 35 64 61 74 61                          krb5data
+.  .  [1] [Octet String] "krb5data"
 .  .  [2] [Sequence/Sequence Of] 
 .  .  .  [0] [Object Identifier] <8>
             6b 72 62 35 64 61 74 61                          krb5data