[MS-BKRP] backupkey server and GnuTLS

Garming Sam garming at catalyst.net.nz
Mon Nov 30 22:48:24 UTC 2015


Thanks for these fixes. So I tried just building on my current system 
(Ubuntu 14.04 LTS) and it failed to compile, with only GnuTLS 2.12.23.

I think the following three functions are the problematic ones right now 
(introduced with various versions > 3).


Can you clarify again what version we should be using and I guess, how 
to proceed from here?



On 30/11/15 22:56, Andreas Schneider wrote:
> On Monday 30 November 2015 11:45:07 Garming Sam wrote:
>> Hi Andreas,
> Hi Garming,
>> I've looked through all the patches and I'm fairly happy with them.
>> There's a few things I noticed though, but apart from those you can
>> effectively consider me signed off.
>> s4-torture: Migrate get_cert_guid() from backupkey to GnuTLS
>> In this patch, I noticed that there's a predefined size for the issuer
>> unique id. I was wondering if it would be more appropriate to avoid this
>> assumption (calling the function twice to get the correct length). The
>> same goes for the additional torture tests that you've added. Assuming
>> that all these checks pass on Windows, then they're definitely helpful
>> additions.
>> s4-rpc-bkrp: Use GnuTLS API for hash functions
>> I'm well aware that GNUTLS_MAC_SHA1 refers to the same constant as its
>> digest counterpart, but if it is doing a plain digest, then the
>> appropriate constant should probably be used (especially when skimming,
>> it's one of the more obvious things to notice).
>> s4-rpc-bkrp: Self sign the certificate using GnuTLS
>> In the function, generate_bkrp_cert, it looks like you may have missed
>> 'gnutls_privkey_deinit(issuer_privkey)' on the first return of WERR_NOMEM.
>> I also noticed you removed the CA status, which was the other thing I
>> was going to comment on.
> I've looked at the certificates which windows creates and they do not set the
> CA status at all! Heimdal always add CA status information.
> I've implemented it the same way with GnuTLS as Windows does. See the top
> commit which adds the torture test, run it against windows and you will notice
> that it will pass ...
> 	-- andreas

More information about the samba-technical mailing list