[PATCH] s4:torture/rpc/backupkey: Require 2048 bit RSA key

Garming Sam garming at catalyst.net.nz
Tue Dec 23 15:09:48 MST 2014 

Hi Arvid,

Considering there are actually users who are seeing this, it would be 
nice to see this test and the first patch getting in sometime soon.


Just a few things I noticed:

We're still using classic C style declarations, so

	hx509_context_init(&hctx);

should be after the last declaration.

ndr_err is also unused.


Running the test and failing on current Samba, it appears that 2048 bit 
is surprisingly rare. I would've assumed that it was only off half the 
time based on the final bit, but briefly looking at the default Heimdal 
implementation, the code seems content with providing only roughly the 
required amount of bits. Mostly it returns 2047, but it also returns 
2043 quite a bit and even fewer sometimes.

Assuming Windows accepts more than 2048 bits, I don't know if it might 
be a good idea to increase what we're asking for, or maybe even use a 
different generation scheme. I don't know what kind of implications this 
might have, so someone else should probably comment.

Something else to consider is if the implementation never returns the 
required amount of bits, we might get stuck in the loop waiting for 2048 
bits forever. Placing a limit on this could be useful, although what 
this limit might be isn't exactly obvious since 2048 isn't as common as 
you would think.


Cheers,

Garming Sam


On 24/12/14 07:30, Arvid Requate wrote:
> Hello,
>
> the attached patch extends the torture tests for the backupkey protocol (MS-
> BKRP) implementation to ensure that the generated x509 certificate actually has
> an RSA key with the full 2048 bits required by the protocol (and by Windows
> DPAPI).
>
> This testcase accompanies the patches for the backupkey protocol
> implementation I proposed in July, which are available for review at
>
>   http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
>
> Feedback welcome.
> Arvid
>
> On 24/11/14 10:01, Andrew Bartlett wrote:
>> Indeed, the patch was proposed, but didn't get the attention of a
>> suitable reviewer, and didn't have any tests to prevent regressions.
>> Someone needs to take it back up and re-submit.
>
>
> On 07/08/14 12:31, Arvid Requate wrote:
>> Hello,
>>
>> we received positive customer feedback on the effectiveness of my recently
>> posted patches for the backupkey protocol implementation in Samba.
>> The patches are now available via
>>
>> http://repo.or.cz/w/Samba/reqa.git/shortlog/refs/heads/BKRP
>>
>> Feedback appreciated.
>>
>> Cheers,
>> Arvid
>

More information about the samba-technical mailing list