Fix PKINIT serverDHNonce encoding

Use an explicit tag for serverDHNonce, as specified in RFC 4556,
rather than the implicit tag we historically used.  This bug had no
practical effect (and creates no interoperability issues) because we
never generate a serverDHNonce.

ticket: 7061

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index b23a3ef7371866f516beeb692ab1a7342b2ec747..a811e7e4cbecac1d30163a36fc4953d52643acc0 100644 (file)
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -1574,15 +1574,9 @@ dh_rep_info_optional(const void *p)
     return optional;
 }
 
-/*
- * RFC 4556 specifies serverDHNonce as an explicitly tagged octet string.
- * Historically we encode it as an implicitly tagged octet string.  This may be
- * harmless (and fixable) since we don't appear to include a serverDHNonce in
- * our PKINIT server code, but we would want to change this carefully.
- */
 static const struct field_info dh_rep_info_fields[] = {
     FIELDOF_NORM(krb5_dh_rep_info, ostring_data, dhSignedData, 0, 1),
-    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 1, 1),
+    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 0, 1),
     FIELDOF_OPT(krb5_dh_rep_info, kdf_alg_id_ptr, kdfID, 2, 0, 2),
 };
 DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info,

diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out
index e613a9ab26778aa609a7ee851b838c40e224298f..77b37cd64a03bcd62900988a3dc77f2b70e4a58c 100644 (file)
--- a/src/tests/asn.1/pkinit_encode.out
+++ b/src/tests/asn.1/pkinit_encode.out
@@ -1,6 +1,6 @@
 encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(dhInfo): A0 26 30 24 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
+encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61

diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out
index 9959afa9f0884fc8a9b8331376d232ee0c7e4af1..7ee5b1de55e67eb295c43b91d61bb984c564c0b2 100644 (file)
--- a/src/tests/asn.1/pkinit_trval.out
+++ b/src/tests/asn.1/pkinit_trval.out
@@ -38,8 +38,7 @@ encode_krb5_pa_pk_as_rep(dhInfo):
 .  [Sequence/Sequence Of] 
 .  .  [0] <8>
          6b 72 62 35 64 61 74 61                          krb5data
-.  .  [1] <8>
-         6b 72 62 35 64 61 74 61                          krb5data
+.  .  [1] [Octet String] "krb5data"
 .  .  [2] [Sequence/Sequence Of] 
 .  .  .  [0] [Object Identifier] <8>
             6b 72 62 35 64 61 74 61                          krb5data