daemon/tls_ephemeral_credentials nit: improve cert serial

I don't expect this matters, but why not fix this
to do what was intended (by the comment).
Discovered by Daniel Salzman <daniel.salzman@nic.cz>

diff --git a/daemon/tls.c b/daemon/tls.c
index 9637369e54622871c6f5bf315c252da0afa0ca04..355aae26e8e1bd24b65ebfe0543f3b9945aa3675 100644 (file)
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -573,6 +573,7 @@ ssize_t tls_process_input_data(struct session *s, const uint8_t *buf, ssize_t nr
  * \return error code */
 static int get_oob_key_pin(gnutls_x509_crt_t crt, char *outchar, ssize_t outchar_len, bool raw)
 {
+       /* TODO: simplify this function by using gnutls_x509_crt_get_key_id() */
        if (kr_fails_assert(!raw || outchar_len >= TLS_SHA256_RAW_LEN)) {
                return kr_error(ENOSPC);
                /* With !raw we have check inside kr_base64_encode. */

diff --git a/daemon/tls_ephemeral_credentials.c b/daemon/tls_ephemeral_credentials.c
index 48e8d4a05cdb9166086ab78c01d3260e069e7125..23b944f6246fe968ea241bae4939f29970f89007 100644 (file)
--- a/daemon/tls_ephemeral_credentials.c
+++ b/daemon/tls_ephemeral_credentials.c
@@ -159,7 +159,7 @@ static gnutls_x509_crt_t get_ephemeral_cert(gnutls_x509_privkey_t privkey, const
        uint8_t serial[16];
        gnutls_rnd(GNUTLS_RND_NONCE, serial, sizeof(serial));
        /* clear the left-most bit to avoid signedness confusion: */
-       serial[0] &= 0x8f;
+       serial[0] &= 0x7f;
        size_t namelen = strlen(servicename);
 
 #define gtx(fn, ...)                                                   \