s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
Stefan (metze) Metzmacher
metze at samba.org
Fri Oct 21 06:19:35 MDT 2011
>> s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
>> This should not make a difference for NTLMSSP as it still calls
>> low level ntlmssp_[un]seal_packet() functions with the same input
>> If we convert the gss-api/krb5 based code to gensec we have to use
>> gensec_[un]wrap() as the wire format is different compared to
>> gensec_[un]seal_packet() there.
>> Andrew Bartlett
>> Split from another commit by Stefan Metzmacher <metze at samba.org>
> I'm confused by this confusingly attributed statement.
> I implemented common_ntlm_decrypt_buffer() not by modifying the
> fucntion, but by copying in the common_gss_decrypt_buffer() and then
> replacing GSS calls with gensec calls.
> That is why I think that a properly implemented gssapi gensec module
> (mapping gensec_wrap to gss_wrap) would work. What makes you think
Sorry, if my wording is confusing...
My point is that we have to use gensec_wrap() as that will map to
if we use kerberos.
If we would change common_gss_encrypt_buffer() to use gensec_seal_packet()
(which maps to something like gss_wrap_iov()), we would break the
And as we need to use gensec_wrap() for krb5, it's a good idea to also use
it for NTLMSSP. So that we'll just have one generic code path in future.
I added this extra commit split from commit
(s3-ntlmssp Remove references to auth_ntlmssp_context from the smb
to make it more explicit that we change from gensec_seal_packet() to
in a single step. The commit message tries to explain why this is possible
without wire visible changes and also why it's good to change at all.
Do you get what I mean?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the samba-technical