s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
Andrew Bartlett
abartlet at samba.org
Fri Oct 21 16:38:53 MDT 2011
On Fri, 2011-10-21 at 14:19 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
>
> >> s3-seal use gensec_[un]wrap() instead of gensec_[un]seal_packet()
> >>
> >> This should not make a difference for NTLMSSP as it still calls
> >> the
> >> low level ntlmssp_[un]seal_packet() functions with the same input
> >> parameters.
> >>
> >> If we convert the gss-api/krb5 based code to gensec we have to use
> >> gensec_[un]wrap() as the wire format is different compared to
> >> gensec_[un]seal_packet() there.
> >>
> >> Andrew Bartlett
> >>
> >> Split from another commit by Stefan Metzmacher <metze at samba.org>
> >
> > I'm confused by this confusingly attributed statement.
> >
> > I implemented common_ntlm_decrypt_buffer() not by modifying the
> > fucntion, but by copying in the common_gss_decrypt_buffer() and then
> > replacing GSS calls with gensec calls.
> >
> > That is why I think that a properly implemented gssapi gensec module
> > (mapping gensec_wrap to gss_wrap) would work. What makes you think
> > otherwise?
>
> Sorry, if my wording is confusing...
>
> My point is that we have to use gensec_wrap() as that will map to
> gss_wrap(),
> if we use kerberos.
> Do you get what I mean?
Yes, that makes sense, and matches my intent.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list