review of the backupkey protocol implementation

Matthieu Patou mat at
Tue Oct 12 07:30:54 MDT 2010

Hi Simo,
> Matthieu, any specific reason why you are using internal Heimdal x509
> functions instead of just using an SSL library like openSSL, NSS,
> GNUTLS, etc.. ?
I send emails on the list at this subject in the beginning of august, I 
started first with a try with gnutls but when I understood that I need 
to access and set (when generating) a deprecated cert field 
(SubjectUniqId field, see 2.2.1 Server Public Key for ClientWrap 
Subprotocol of ms-bkrp.pdf).
Neither gnutls nor openSSL allowed to set or query this field (it's 
deprecated so let's not allow to be queried/set). I started to talk on 
the list not too much persons give me their point of view when I 
suggested to switch to heimdal.

Although the version at this moment wasn't much more capable, as we had 
already the code inside the project I know that I had the possibility to 
had the missing bits to be able to implement what was needed by this 
protocol. I could also have included a patched version of gnutls but I 
think it was not the good way to do it (it would have means that we 
would have to pull one more external project, and follow closely the 
security updates + the risk of duplicated symbols), waiting for distro 
to include a fix was a not a solution as for instance I needed this 
implementation since a year at least.

It turns out that the collaboration with love was very smooth and we 
already have a version of heimdal unpatched, I'm really not sure that 
this kind of collaboration would have been possible with gnutls (maybe 
I'm wrong but at least gnutls guys were not present at SDC when I 
implemented a lot of stuff related to this protocol ...).

That's why we are using heimdal right now, once gnutls (I think brad 
from openchange did something in this direction) has the updated version 
it will be possible to update the code to make the SSL backend heimdal 
or gnutls.

Although I'm not planning to spend time anytime soon on this on my spare 


Matthieu Patou
Samba Team

More information about the samba-technical mailing list