[PATCH] s4:torture/rpc/backupkey: Require 2048 bit RSA key
abartlet at samba.org
Fri Feb 13 01:48:54 MST 2015
On Wed, 2014-12-24 at 00:40 +0100, Arvid Requate wrote:
> Hi Gaming,
> please find attached an updated version of the torture test patch which takes
> into account your suggestions and adds some missing memory cleanup as well.
> Regarding the game of chance in retriving the proper key length, yes, I see
> the point. Since this key is only generated rarely I was willing to go for it
> but if you have an idea how to improve upon this your welcome. When I looked
> at keys generated from AD they had exactly 2048 bits whenever I checked. The
> best would be IMHO if Heimdal could be convinced to actually deliver a key
> with the required properties (at least if somehow explicitely requested). But
> probably this would only shift the problem of convergence to Heimdal.
> All the best wishes for xmas and the new year :-)
We ended up shifting the problem to GnuTLS, as it seemed to be able to
do it reliably. Given the underlying maths, you can either keep
generating random numbers until you get one with the right high bits
set, or you can force them to be set, so there is a chance it is being a
little smarter about it.
Can you take a look at https://bugzilla.samba.org/show_bug.cgi?id=11097
and check we didn't break anything for your use case, as we would love
to get this into 4.2.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical