| commit | 899f4db2c2fce4d7246d6149961dfb5071efcb05 | |
| author | Arvid Requate <requate@univention.de> | |
| Mon, 7 Jul 2014 15:39:51 +0000 (7 17:39 +0200) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Tue, 3 Mar 2015 21:07:10 +0000 (3 22:07 +0100) | ||
| tree | dab3246511cb7edc8b90b0842ab64a814c054ad4 | treesnapshot (tar.gz zip) |
| parent | 93fe49868c5f29d930e6363b148a6c7a941bb6b1 | commitdiff |
s4-backupkey: Ensure RSA modulus is 2048 bits
RSA_generate_key_ex doesn't always generate a modulus of requested
bit length. Tests with Windows 7 clients showed that they decline
x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length
is smaller than the specified 2048 bits. For the user this resulted
in DPAPI failing to retrieve stored credentials after the user password
has been changed at least two times. On the server side log.samba showed
that the client also called the as yet unlimplemented ServerWrap sub-
protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the
ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After
enabling DPAPI auditing on the Windows Clients the Event Viewer showed
Event-ID 4692 failing with a FailureReason value of 0x7a in these cases.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
(cherry picked from commit 9b2ff26c893e5748d12d7a37a93eef7b1f4b1a1b)
RSA_generate_key_ex doesn't always generate a modulus of requested
bit length. Tests with Windows 7 clients showed that they decline
x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length
is smaller than the specified 2048 bits. For the user this resulted
in DPAPI failing to retrieve stored credentials after the user password
has been changed at least two times. On the server side log.samba showed
that the client also called the as yet unlimplemented ServerWrap sub-
protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the
ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After
enabling DPAPI auditing on the Windows Clients the Event Viewer showed
Event-ID 4692 failing with a FailureReason value of 0x7a in these cases.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
(cherry picked from commit 9b2ff26c893e5748d12d7a37a93eef7b1f4b1a1b)
| source4/rpc_server/backupkey/dcesrv_backupkey.c | diffblobblamehistory |