[PATCH] s4:torture/rpc/backupkey: Require 2048 bit RSA key

Andrew Bartlett abartlet at samba.org
Fri Feb 13 01:48:54 MST 2015

On Wed, 2014-12-24 at 00:40 +0100, Arvid Requate wrote:
> Hi Gaming,
> please find attached an updated version of the torture test patch which takes 
> into account your suggestions and adds some missing memory cleanup as well.
> Regarding the game of chance in retriving the proper key length, yes, I see 
> the point. Since this key is only generated rarely I was willing to go for it 
> but if you have an idea how to improve upon this your welcome. When I looked 
> at keys generated from AD they had exactly 2048 bits whenever I checked. The 
> best would be IMHO if Heimdal could be convinced to actually deliver a key 
> with the required properties (at least if somehow explicitely requested). But 
> probably this would only shift the problem of convergence to Heimdal.
> All the best wishes for xmas and the new year :-)
> Arvid

We ended up shifting the problem to GnuTLS, as it seemed to be able to
do it reliably.  Given the underlying maths, you can either keep
generating random numbers until you get one with the right high bits
set, or you can force them to be set, so there is a chance it is being a
little smarter about it.  

Can you take a look at https://bugzilla.samba.org/show_bug.cgi?id=11097
and check we didn't break anything for your use case, as we would love
to get this into 4.2.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list