review of the backupkey protocol implementation

Andrew Bartlett abartlet at
Tue Oct 12 15:28:39 MDT 2010

On Tue, 2010-10-12 at 17:30 +0400, Matthieu Patou wrote:
> Hi Simo,
> > Matthieu, any specific reason why you are using internal Heimdal x509
> > functions instead of just using an SSL library like openSSL, NSS,
> > GNUTLS, etc.. ?
> I send emails on the list at this subject in the beginning of august, I 
> started first with a try with gnutls but when I understood that I need 
> to access and set (when generating) a deprecated cert field 
> (SubjectUniqId field, see 2.2.1 Server Public Key for ClientWrap 
> Subprotocol of ms-bkrp.pdf).
> Neither gnutls nor openSSL allowed to set or query this field (it's 
> deprecated so let's not allow to be queried/set). I started to talk on 
> the list not too much persons give me their point of view when I 
> suggested to switch to heimdal.
> Although the version at this moment wasn't much more capable, as we had 
> already the code inside the project I know that I had the possibility to 
> had the missing bits to be able to implement what was needed by this 
> protocol. I could also have included a patched version of gnutls but I 
> think it was not the good way to do it (it would have means that we 
> would have to pull one more external project, and follow closely the 
> security updates + the risk of duplicated symbols), waiting for distro 
> to include a fix was a not a solution as for instance I needed this 
> implementation since a year at least.
> It turns out that the collaboration with love was very smooth and we 
> already have a version of heimdal unpatched, I'm really not sure that 
> this kind of collaboration would have been possible with gnutls (maybe 
> I'm wrong but at least gnutls guys were not present at SDC when I 
> implemented a lot of stuff related to this protocol ...).
> That's why we are using heimdal right now, once gnutls (I think brad 
> from openchange did something in this direction) has the updated version 
> it will be possible to update the code to make the SSL backend heimdal 
> or gnutls.


These are indeed very good reasons for the approach you have taken,
which I supported at the time and continue to support.  The reason we
have a patched Heimdal in the tree is to allow this kind of innovation
and collaboration. 

Love has already made changes to Heimdal to better support your work,
and this great relationship continues to make Samba4 stronger. 


I understand your reluctance to have Samba4 further depend on Heimdal,
but I don't see a reasonable alternative in this case.  Certainly I see
no sense in adding patched OpenSSL or GnuTLS versions as a dependency
when Heimdal already supplies the required functions (indeed GnuTLS has
been quite a pain to depend on).

I'm quite happy for you to maintain reasonable patches for MIT
comparability in the tree, but even if we did use MIT for Kerberos, I
see no reason why we can't continue to use the hx509 library for this. 

I would note that our KDC requirements have changed again, and we will
likewise require a patched or updated MIT Kerberos if we want to go down
that road. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list