review of the backupkey protocol implementation
Matthieu Patou
mat at samba.org
Tue Oct 12 07:30:54 MDT 2010
Hi Simo,
> Matthieu, any specific reason why you are using internal Heimdal x509
> functions instead of just using an SSL library like openSSL, NSS,
> GNUTLS, etc.. ?
I send emails on the list at this subject in the beginning of august, I
started first with a try with gnutls but when I understood that I need
to access and set (when generating) a deprecated cert field
(SubjectUniqId field, see 2.2.1 Server Public Key for ClientWrap
Subprotocol of ms-bkrp.pdf).
Neither gnutls nor openSSL allowed to set or query this field (it's
deprecated so let's not allow to be queried/set). I started to talk on
the list not too much persons give me their point of view when I
suggested to switch to heimdal.
Although the version at this moment wasn't much more capable, as we had
already the code inside the project I know that I had the possibility to
had the missing bits to be able to implement what was needed by this
protocol. I could also have included a patched version of gnutls but I
think it was not the good way to do it (it would have means that we
would have to pull one more external project, and follow closely the
security updates + the risk of duplicated symbols), waiting for distro
to include a fix was a not a solution as for instance I needed this
implementation since a year at least.
It turns out that the collaboration with love was very smooth and we
already have a version of heimdal unpatched, I'm really not sure that
this kind of collaboration would have been possible with gnutls (maybe
I'm wrong but at least gnutls guys were not present at SDC when I
implemented a lot of stuff related to this protocol ...).
That's why we are using heimdal right now, once gnutls (I think brad
from openchange did something in this direction) has the updated version
it will be possible to update the code to make the SSL backend heimdal
or gnutls.
Although I'm not planning to spend time anytime soon on this on my spare
time.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list