s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()

Stefan (metze) Metzmacher metze at samba.org
Fri Oct 21 06:19:35 MDT 2011

Hi Andrew,

>>     s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
>>     This should not make a difference for NTLMSSP as it still calls
>> the
>>     low level ntlmssp_[un]seal_packet() functions with the same input
>> parameters.
>>     If we convert the gss-api/krb5 based code to gensec we have to use
>>     gensec_[un]wrap() as the wire format is different compared to
>>     gensec_[un]seal_packet() there.
>>     Andrew Bartlett
>>     Split from another commit by Stefan Metzmacher <metze at samba.org>
> I'm confused by this confusingly attributed statement.
> I implemented common_ntlm_decrypt_buffer() not by modifying the
> fucntion, but by copying in the common_gss_decrypt_buffer() and then
> replacing GSS calls with gensec calls.
> That is why I think that a properly implemented gssapi gensec module
> (mapping gensec_wrap to gss_wrap) would work.  What makes you think
> otherwise?

Sorry, if my wording is confusing...

My point is that we have to use gensec_wrap() as that will map to
if we use kerberos.

If we would change common_gss_encrypt_buffer() to use gensec_seal_packet()
(which maps to something like gss_wrap_iov()), we would break the
encryption against
existing clients/servers.

And as we need to use gensec_wrap() for krb5, it's a good idea to also use
it for NTLMSSP. So that we'll just have one generic code path in future.

I added this extra commit split from commit
(s3-ntlmssp Remove references to auth_ntlmssp_context from the smb
sealing code)
to make it more explicit that we change from gensec_seal_packet() to
in a single step. The commit message tries to explain why this is possible
without wire visible changes and also why it's good to change at all.

Do you get what I mean?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111021/aa1e4124/attachment.pgp>

More information about the samba-technical mailing list