Univention Bugzilla – Attachment 5986 Details for
Bug 35287
Windows DPAPI fails after repeated user password change
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch
0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch (text/plain), 2.18 KB, created by
Arvid Requate
on 2014-07-07 19:49:32 CEST
(
hide
)
Description:
0001-s4-backupkey-Ensure-RSA-modulus-is-2048-bits.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2014-07-07 19:49:32 CEST
Size:
2.18 KB
patch
obsolete
>From 1f49bf1531935a28147afe0cae4f2298e809fa0b Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Mon, 7 Jul 2014 17:39:51 +0200 >Subject: [PATCH 01/10] s4-backupkey: Ensure RSA modulus is 2048 bits > >RSA_generate_key_ex doesn't always generate a modulus of requested >bit length. Tests with Windows 7 clients showed that they decline >x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length >is smaller than the specified 2048 bits. For the user this resulted >in DPAPI failing to retrieve stored credentials after the user password >has been changed at least two times. On the server side log.samba showed >that the client also called the as yet unlimplemented ServerWrap sub- >protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the >ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After >enabling DPAPI auditing on the Windows Clients the Event Viewer showed >Event-ID 4692 failing with a FailureReason value of 0x7a in these cases. > >Signed-off-by: Arvid Requate <requate@univention.de> >--- > source4/rpc_server/backupkey/dcesrv_backupkey.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > >diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c >index 87799db..765caeb 100644 >--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c >+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c >@@ -759,6 +759,7 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, > uint8_t *p0, *p; > size_t len; > int bits = 2048; >+ int RSA_returned_bits; > > *_rsa = NULL; > >@@ -776,11 +777,15 @@ static WERROR create_heimdal_rsa_key(TALLOC_CTX *ctx, hx509_context *hctx, > return WERR_INTERNAL_ERROR; > } > >- ret = RSA_generate_key_ex(rsa, bits, pub_expo, NULL); >- if(ret != 1) { >- RSA_free(rsa); >- BN_free(pub_expo); >- return WERR_INTERNAL_ERROR; >+ while (RSA_returned_bits != bits) { >+ ret = RSA_generate_key_ex(rsa, bits, pub_expo, NULL); >+ if(ret != 1) { >+ RSA_free(rsa); >+ BN_free(pub_expo); >+ return WERR_INTERNAL_ERROR; >+ } >+ RSA_returned_bits = BN_num_bits(rsa->n); >+ DEBUG(6, ("RSA_generate_key_ex returned %d Bits\n", RSA_returned_bits)); > } > BN_free(pub_expo); > >-- >2.0.0.rc2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5986">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 35287
: 5986 |
5989
|
5990
|
7084
|
7088