[PATCH] s4:torture/rpc/backupkey: Require 2048 bit RSA key

Tue Dec 23 16:40:14 MST 2014

Hi Gaming,

please find attached an updated version of the torture test patch which takes 
into account your suggestions and adds some missing memory cleanup as well.

Regarding the game of chance in retriving the proper key length, yes, I see 
the point. Since this key is only generated rarely I was willing to go for it 
but if you have an idea how to improve upon this your welcome. When I looked 
at keys generated from AD they had exactly 2048 bits whenever I checked. The 
best would be IMHO if Heimdal could be convinced to actually deliver a key 
with the required properties (at least if somehow explicitely requested). But 
probably this would only shift the problem of convergence to Heimdal.

All the best wishes for xmas and the new year :-)
Arvid

Am Mittwoch, 24. Dezember 2014, 11:09:48 schrieb Garming Sam:
> Hi Arvid,
> 
> Considering there are actually users who are seeing this, it would be
> nice to see this test and the first patch getting in sometime soon.
> 
> 
> Just a few things I noticed:
> 
> We're still using classic C style declarations, so
> 
> 	hx509_context_init(&hctx);
> 
> should be after the last declaration.
> 
> ndr_err is also unused.
> 
> 
> Running the test and failing on current Samba, it appears that 2048 bit
> is surprisingly rare. I would've assumed that it was only off half the
> time based on the final bit, but briefly looking at the default Heimdal
> implementation, the code seems content with providing only roughly the
> required amount of bits. Mostly it returns 2047, but it also returns
> 2043 quite a bit and even fewer sometimes.
> 
> Assuming Windows accepts more than 2048 bits, I don't know if it might
> be a good idea to increase what we're asking for, or maybe even use a
> different generation scheme. I don't know what kind of implications this
> might have, so someone else should probably comment.
> 
> Something else to consider is if the implementation never returns the
> required amount of bits, we might get stuck in the loop waiting for 2048
> bits forever. Placing a limit on this could be useful, although what
> this limit might be isn't exactly obvious since 2048 isn't as common as
> you would think.
> 
> 
> Cheers,
> 
> Garming Sam

-- 
Dr. Arvid Requate
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-52
Fax : +49 421 22232-99

requate at univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-torture-rpc-backupkey-Require-2048-bit-RSA-key.patch
Type: text/x-patch
Size: 3089 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141224/e4ea309b/attachment.bin>