s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()

Andrew Bartlett abartlet at samba.org
Fri Oct 21 05:56:05 MDT 2011

On Fri, 2011-10-21 at 10:23 +0200, Stefan Metzmacher wrote:
> commit b9b170a9dd640dbde0a707b972fdb0c611e68df5
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu Oct 20 11:53:40 2011 +0200
>     s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
>     This should not make a difference for NTLMSSP as it still calls
> the
>     low level ntlmssp_[un]seal_packet() functions with the same input
> parameters.
>     If we convert the gss-api/krb5 based code to gensec we have to use
>     gensec_[un]wrap() as the wire format is different compared to
>     gensec_[un]seal_packet() there.
>     Andrew Bartlett
>     Split from another commit by Stefan Metzmacher <metze at samba.org>

I'm confused by this confusingly attributed statement.

I implemented common_ntlm_decrypt_buffer() not by modifying the
fucntion, but by copying in the common_gss_decrypt_buffer() and then
replacing GSS calls with gensec calls.

That is why I think that a properly implemented gssapi gensec module
(mapping gensec_wrap to gss_wrap) would work.  What makes you think

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list