From 94cfb9542c15bb54a786fa62c26f357d183cea41 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 8 Jan 2012 21:27:59 +0000 Subject: [PATCH] Fix PKINIT serverDHNonce encoding Use an explicit tag for serverDHNonce, as specified in RFC 4556, rather than the implicit tag we historically used. This bug had no practical effect (and creates no interoperability issues) because we never generate a serverDHNonce. ticket: 7061 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/asn.1/asn1_k_encode.c | 8 +------- src/tests/asn.1/pkinit_encode.out | 2 +- src/tests/asn.1/pkinit_trval.out | 3 +-- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index b23a3ef73..a811e7e4c 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -1574,15 +1574,9 @@ dh_rep_info_optional(const void *p) return optional; } -/* - * RFC 4556 specifies serverDHNonce as an explicitly tagged octet string. - * Historically we encode it as an implicitly tagged octet string. This may be - * harmless (and fixable) since we don't appear to include a serverDHNonce in - * our PKINIT server code, but we would want to change this carefully. - */ static const struct field_info dh_rep_info_fields[] = { FIELDOF_NORM(krb5_dh_rep_info, ostring_data, dhSignedData, 0, 1), - FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 1, 1), + FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 0, 1), FIELDOF_OPT(krb5_dh_rep_info, kdf_alg_id_ptr, kdfID, 2, 0, 2), }; DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info, diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out index e613a9ab2..77b37cd64 100644 --- a/src/tests/asn.1/pkinit_encode.out +++ b/src/tests/asn.1/pkinit_encode.out @@ -1,6 +1,6 @@ encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61 -encode_krb5_pa_pk_as_rep(dhInfo): A0 26 30 24 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 +encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out index 9959afa9f..7ee5b1de5 100644 --- a/src/tests/asn.1/pkinit_trval.out +++ b/src/tests/asn.1/pkinit_trval.out @@ -38,8 +38,7 @@ encode_krb5_pa_pk_as_rep(dhInfo): . [Sequence/Sequence Of] . . [0] <8> 6b 72 62 35 64 61 74 61 krb5data -. . [1] <8> - 6b 72 62 35 64 61 74 61 krb5data +. . [1] [Octet String] "krb5data" . . [2] [Sequence/Sequence Of] . . . [0] [Object Identifier] <8> 6b 72 62 35 64 61 74 61 krb5data -- 2.26.2