Heimdal

Today I released Heimdal 0.7 and Heimdal 0.6.5.

Heimdal 0.7 is a major leap forward and contains about 2-3 years of
development. I’m the two things I like the most of the release in the
improved quality of the documentation and all work that have gone in
to making the tools and api easier to use and bugfixes.

The largest change in the release that stand out is the adding of AES
support. Its a very large change that touches code all over the place
and there is for sure bugs in there so if you are deploying 0.7, you
should do good amount of testing for your enviroment to make sure.

Other new features are GSS-API SNEPGO support, KCM (process’ based
credential caching), CCAPI (for Mac OS X), and tons of bugfixes.

For Heimdal 0.8 I’ll try to glue in PK-INIT support, it requires
changes to the ASN.1 compiler, and some more quality checking should
be done to verify it correctness. I should also try merge in Luke
Howards mech-glue and new SPNEGO, its a very invasive patch that
changes the behavior of the GSS-API stack, but it open up for new
adding new mechaisms, and that is something that is badly needed.

The prototype SASL library and prototype SSH client/server I have
should also be cleaned up and added to Heimdal. Both are very
lightweight and only tries to solve the simple problem.

A other subsystem is that needs some work is testing. We should to add
more tests more aggressively, both unit testing and system
testing. The later is not really there at all today.

I’ll continue working with the Samba folks to improve the API and
integration with Samba. Its a very important area for me, I feel that
I need to bring some order to the mess of kerberos in Samba. Its very
understandable that is happen, and shouldn’t be to hard to do simple
fixes that improves samba administators life.

I’m at Apple WWDC-2005 conference in San Francisco. Steven Jobs announced Intel machines at the keynote this monday, and yesterday I was down in the “Universal compatibility lab” that have quite a lot of shinny Apple computer that looks like G5s, but inside there are Intel 3.4GHz CPUs.

So how did Heimdal work on them then ? Just fine, configure, make, make check all worked w/o any problems. I checked both with openssl and the built in libdes.

Today I re-started my hate for ASN.1 Information object model (and ASN.1 in general), I was looking at how to work out a good way to name certificates and PKCS9’s friendy name was something that I though was easy enough to use. To make sure that its harder for everyone to understand, ASN.1 IOM is used. My problem with IOM is that too easy to write really neat specifications, that over time grows into serveral documents that makes its really hard to trace what is supposed to happen.

I think I’ve found out a way to solve the “password” problem for my PKCS12 code. The problem is that the user might want to specify a password, a prompter function, a key containing a password, a certificate/private key pair or some other thing to unlock the data. As usual most work went into figuring out what the problem was, just passing around one password seemed silly. Now I think I have a API that will make sense internally, but that question is i it will work for consumers of the API too.

That said, my PKCS12 parser prototype is all done and I just need to clean it up and use the above unlock API, next out is PKCS11 support. I’ve got a prototype there, but it needs some adapting to the framework for certificates.

The Heimdal release hit a snag on AIX5, there is some issue with file credential caching. What makes it harder to test is that I don’t have access to a machine but have to work though proxy.

KCM got wackaed yestoday, I added doors support. My first door application. Its a very reasonable interface to use. I like it, there needs to be some encoder/decoder lib to make it really useful. KCM already included that, so it was really to glue in doors since the kcm-protocol was already packet based.

The only thing I’m unhappy about is how the returning of data is done. door_return takes one of alloca(3)ed memory, mmap eller thread local storage. The only one that is easy to use it alloca, but that is unportable. TLS is ok since I create a thread for each request, but is cheating. There are some help from Andy Tucker how to solve this.

The KCM daemon by itself it a strange animal. Its a system wide daemon that takes care of all users credentials, compared to ssh-agent that is one processes per user. One big feature of KCM is that is solves the problem that unprivileliged processes. Now they can do password verification using a keytab and access (indirectly) smartcard readers.

The Heimdal 0.7 release is getting closer, there is only the token delgation issue in GSS-API left now.