From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 6 Mar 2023 16:21:50 +0000 (+0100)
Subject: daemon/tls_ephemeral_credentials nit: improve cert serial
X-Git-Tag: v5.7.0~12^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=645c6eb178fb12a8cb736f0fb87c80771e949728;p=thirdparty%2Fknot-resolver.git

daemon/tls_ephemeral_credentials nit: improve cert serial

I don't expect this matters, but why not fix this
to do what was intended (by the comment).
Discovered by Daniel Salzman <daniel.salzman@nic.cz>
---

diff --git a/daemon/tls.c b/daemon/tls.c
index 9637369e5..355aae26e 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -573,6 +573,7 @@ ssize_t tls_process_input_data(struct session *s, const uint8_t *buf, ssize_t nr
  * \return error code */
 static int get_oob_key_pin(gnutls_x509_crt_t crt, char *outchar, ssize_t outchar_len, bool raw)
 {
+	/* TODO: simplify this function by using gnutls_x509_crt_get_key_id() */
 	if (kr_fails_assert(!raw || outchar_len >= TLS_SHA256_RAW_LEN)) {
 		return kr_error(ENOSPC);
 		/* With !raw we have check inside kr_base64_encode. */
diff --git a/daemon/tls_ephemeral_credentials.c b/daemon/tls_ephemeral_credentials.c
index 48e8d4a05..23b944f62 100644
--- a/daemon/tls_ephemeral_credentials.c
+++ b/daemon/tls_ephemeral_credentials.c
@@ -159,7 +159,7 @@ static gnutls_x509_crt_t get_ephemeral_cert(gnutls_x509_privkey_t privkey, const
 	uint8_t serial[16];
 	gnutls_rnd(GNUTLS_RND_NONCE, serial, sizeof(serial));
 	/* clear the left-most bit to avoid signedness confusion: */
-	serial[0] &= 0x8f;
+	serial[0] &= 0x7f;
 	size_t namelen = strlen(servicename);
 
 #define gtx(fn, ...)							\