[MS-BKRP] backupkey server and GnuTLS
Garming Sam
garming at catalyst.net.nz
Mon Nov 30 22:48:24 UTC 2015
Hi,
Thanks for these fixes. So I tried just building on my current system
(Ubuntu 14.04 LTS) and it failed to compile, with only GnuTLS 2.12.23.
I think the following three functions are the problematic ones right now
(introduced with various versions > 3).
gnutls_pubkey_encrypt_data
gnutls_cipher_get_iv_size
gnutls_x509_privkey_import_rsa_raw2
Can you clarify again what version we should be using and I guess, how
to proceed from here?
Cheers,
Garming
On 30/11/15 22:56, Andreas Schneider wrote:
> On Monday 30 November 2015 11:45:07 Garming Sam wrote:
>> Hi Andreas,
> Hi Garming,
>
>> I've looked through all the patches and I'm fairly happy with them.
>> There's a few things I noticed though, but apart from those you can
>> effectively consider me signed off.
>>
>>
>> s4-torture: Migrate get_cert_guid() from backupkey to GnuTLS
>> In this patch, I noticed that there's a predefined size for the issuer
>> unique id. I was wondering if it would be more appropriate to avoid this
>> assumption (calling the function twice to get the correct length). The
>> same goes for the additional torture tests that you've added. Assuming
>> that all these checks pass on Windows, then they're definitely helpful
>> additions.
> FIXED
>
>> s4-rpc-bkrp: Use GnuTLS API for hash functions
>> I'm well aware that GNUTLS_MAC_SHA1 refers to the same constant as its
>> digest counterpart, but if it is doing a plain digest, then the
>> appropriate constant should probably be used (especially when skimming,
>> it's one of the more obvious things to notice).
>>
> FIXED
>
>> s4-rpc-bkrp: Self sign the certificate using GnuTLS
>> In the function, generate_bkrp_cert, it looks like you may have missed
>> 'gnutls_privkey_deinit(issuer_privkey)' on the first return of WERR_NOMEM.
>>
> FIXED
>
>> I also noticed you removed the CA status, which was the other thing I
>> was going to comment on.
> I've looked at the certificates which windows creates and they do not set the
> CA status at all! Heimdal always add CA status information.
>
> I've implemented it the same way with GnuTLS as Windows does. See the top
> commit which adds the torture test, run it against windows and you will notice
> that it will pass ...
>
>
> -- andreas
>
More information about the samba-technical
mailing list