svn rev #25623: trunk/src/ lib/krb5/asn.1/ tests/asn.1/

ghudson@MIT.EDU ghudson at MIT.EDU
Sun Jan 8 16:28:00 EST 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25623
Commit By: ghudson
Log Message:
ticket: 7061
subject: Fix PKINIT serverDHNonce encoding

Use an explicit tag for serverDHNonce, as specified in RFC 4556,
rather than the implicit tag we historically used.  This bug had no
practical effect (and creates no interoperability issues) because we
never generate a serverDHNonce.


Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U   trunk/src/tests/asn.1/pkinit_encode.out
U   trunk/src/tests/asn.1/pkinit_trval.out
Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2012-01-08 02:10:47 UTC (rev 25622)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2012-01-08 21:27:59 UTC (rev 25623)
@@ -1574,15 +1574,9 @@
     return optional;
 }
 
-/*
- * RFC 4556 specifies serverDHNonce as an explicitly tagged octet string.
- * Historically we encode it as an implicitly tagged octet string.  This may be
- * harmless (and fixable) since we don't appear to include a serverDHNonce in
- * our PKINIT server code, but we would want to change this carefully.
- */
 static const struct field_info dh_rep_info_fields[] = {
     FIELDOF_NORM(krb5_dh_rep_info, ostring_data, dhSignedData, 0, 1),
-    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 1, 1),
+    FIELDOF_OPT(krb5_dh_rep_info, ostring_data, serverDHNonce, 1, 0, 1),
     FIELDOF_OPT(krb5_dh_rep_info, kdf_alg_id_ptr, kdfID, 2, 0, 2),
 };
 DEFSEQTYPE(dh_rep_info, krb5_dh_rep_info,

Modified: trunk/src/tests/asn.1/pkinit_encode.out
===================================================================
--- trunk/src/tests/asn.1/pkinit_encode.out	2012-01-08 02:10:47 UTC (rev 25622)
+++ trunk/src/tests/asn.1/pkinit_encode.out	2012-01-08 21:27:59 UTC (rev 25623)
@@ -1,6 +1,6 @@
 encode_krb5_pa_pk_as_req: 30 38 80 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 1E 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_req_draft9: 30 52 80 08 6B 72 62 35 64 61 74 61 A1 32 30 30 80 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 81 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 82 08 6B 72 62 35 64 61 74 61 83 08 6B 72 62 35 64 61 74 61
-encode_krb5_pa_pk_as_rep(dhInfo): A0 26 30 24 80 08 6B 72 62 35 64 61 74 61 81 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
+encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 A2 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61
 encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61

Modified: trunk/src/tests/asn.1/pkinit_trval.out
===================================================================
--- trunk/src/tests/asn.1/pkinit_trval.out	2012-01-08 02:10:47 UTC (rev 25622)
+++ trunk/src/tests/asn.1/pkinit_trval.out	2012-01-08 21:27:59 UTC (rev 25623)
@@ -38,8 +38,7 @@
 .  [Sequence/Sequence Of] 
 .  .  [0] <8>
          6b 72 62 35 64 61 74 61                          krb5data
-.  .  [1] <8>
-         6b 72 62 35 64 61 74 61                          krb5data
+.  .  [1] [Octet String] "krb5data"
 .  .  [2] [Sequence/Sequence Of] 
 .  .  .  [0] [Object Identifier] <8>
             6b 72 62 35 64 61 74 61                          krb5data

More information about the cvs-krb5 mailing list