https://bugs.winehq.org/show_bug.cgi?id=55304
--- Comment #10 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Hans Leidekker from comment #5)
(In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #1)
I have replaced QueryContextAttributesA(SECPKG_ATTR_KEY_INFO) with QueryContextAttributesA(SECPKG_ATTR_SESSION_KEY) after implementing the attribute for Kerberos and NTLM.
According to my testing Kerberos implementation under Windows 10 returns SEC_E_UNSUPPORTED_FUNCTION for QueryContextAttributes(SECPKG_ATTR_SESSION_KEY). What Windows version are you testing with?
What about Negotiate?
Do you have an idea how to test it? Apparently for a proper test it's necessary to create a connection, and once the connection is set up it's up to a backend (NTLM/Kerberos) to handle it.
(In reply to Hans Leidekker from comment #6)
(In reply to Dmitry Timoshkov from comment #2)
(In reply to Hans Leidekker from comment #1)
SSF is used by ldap_int_sasl_bind() to determine if the SASL security layer should be used at all. This page documents it as representing the key size for values > 1:
https://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/sasl.intro-44/ index.html
libldap simply checks for a not zero ssf value: https://github.com/openldap/openldap/blob/master/libraries/libldap/cyrus. c#L745
That's an implementation detail we shouldn't rely on.
Why? Since libldap is now part of wldap32 and GSSAPI SASL pluging is also part of libldap now it's part of the implementation detail we can surely rely on.
I don't understand why the trailer size depends on the server since we have always depended on a constant trailer size. Is that because of a difference between Samba and AD?
I've tested with Microsoft and Samba servers and both of them use 60 for actual encryped data, and decrypting with 64 abviously doesn't work. In the same time QueryContextAttributesA(SECPKG_ATTR_SIZES) returns 64 for the connection.
I can find references for Windows changing from 12000 max token size to 48000 but not 48256. Where does it come from?
It comes from a test that calls QueryContextAttributesA(SECPKG_ATTR_SIZES) under Windows 10 for the Samba server.
Hmm, maybe it's not decrypting in-place? This used to work without querying the trailer size from the context.
It does encrypt/decrypt in place, however as far as I understand it in win32 data and trailer are separate buffers while gss_wrap/gss_unwrap operate on a continuous buffer, and using wrong trailer size creates a hole between data and trailer which breaks gss_wrap/gss_unwrap assumptions.