From 7ad61f9cf76bfa79d0e94468c31cb7d2e6afb494 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Feb 2015 11:26:37 +1300 Subject: [PATCH] backupkey: Explain more why we use GnuTLS here Pair-programmed-with: Garming Sam Signed-off-by: Garming Sam Signed-off-by: Andrew Bartlett (cherry picked from commit 927ea9791e3d1a91516b1cec6918772da83a7fbb) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11097 Win8.1 Credentials Manager issue after KB2992611 on Samba domain Autobuild-User(v4-2-test): Karolin Seeger Autobuild-Date(v4-2-test): Wed Mar 4 00:28:59 CET 2015 on sn-devel-104 --- .../rpc_server/backupkey/dcesrv_backupkey.c | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index ae4c871d9d9..bef4c93d107 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -816,6 +816,13 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, return WERR_INTERNAL_ERROR; } + /* + * Unlike Heimdal's RSA_generate_key_ex(), this generates a + * 2048 bit key 100% of the time. The heimdal code had a ~1/8 + * chance of doing so, chewing vast quantities of computation + * and entropy in the process. + */ + ret = gnutls_x509_privkey_generate(gtls_key, GNUTLS_PK_RSA, bits, 0); if (ret != 0) { werr = WERR_INTERNAL_ERROR; @@ -837,6 +844,19 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, } p = p0; + /* + * Only this GnuTLS export function correctly exports the key, + * we can't use gnutls_rsa_params_export_raw() because while + * it appears to be fixed in more recent versions, in the + * Ubuntu 14.04 version 2.12.23 (at least) it incorrectly + * exports one of the key parameters (qInv). Additionally, we + * would have to work around subtle differences in big number + * representations. + * + * We need access to the RSA parameters directly (in the + * parameter RSA **rsa) as the caller has to manually encode + * them in a non-standard data structure. + */ ret = gnutls_x509_privkey_export(gtls_key, GNUTLS_X509_FMT_DER, p0, &len); if (ret != 0) { -- 2.47.2