https://bugs.winehq.org/show_bug.cgi?id=55304
--- Comment #12 from Hans Leidekker hans@meelstraat.net --- (In reply to Dmitry Timoshkov from comment #10)
What about Negotiate?
Do you have an idea how to test it? Apparently for a proper test it's necessary to create a connection, and once the connection is set up it's up to a backend (NTLM/Kerberos) to handle it.
Yes, but you'd call QueryContextAttributes() on a Negotiate context handle instead of Kerberos/NTLM. We already have some tests for Negotiate.
(In reply to Hans Leidekker from comment #6)
(In reply to Dmitry Timoshkov from comment #2)
(In reply to Hans Leidekker from comment #1)
SSF is used by ldap_int_sasl_bind() to determine if the SASL security layer should be used at all. This page documents it as representing the key size for values > 1:
https://docs.oracle.com/cd/E19120-01/open.solaris/819-2145/sasl.intro-44/ index.html
libldap simply checks for a not zero ssf value: https://github.com/openldap/openldap/blob/master/libraries/libldap/cyrus. c#L745
That's an implementation detail we shouldn't rely on.
Why? Since libldap is now part of wldap32 and GSSAPI SASL pluging is also part of libldap now it's part of the implementation detail we can surely rely on.
We include it Wine but it's still code from an external project that we want to update when necessary. I'd rather avoid depending on how the value is used. Also note that the session key attribute was specifically added to GSSAPI to be compatible with SSPI.
I don't understand why the trailer size depends on the server since we have always depended on a constant trailer size. Is that because of a difference between Samba and AD?
I've tested with Microsoft and Samba servers and both of them use 60 for actual encryped data, and decrypting with 64 abviously doesn't work. In the same time QueryContextAttributesA(SECPKG_ATTR_SIZES) returns 64 for the connection.
I can find references for Windows changing from 12000 max token size to 48000 but not 48256. Where does it come from?
Found it, max token size is 48256 for Negotiate and 48000 for Kerberos.
It comes from a test that calls QueryContextAttributesA(SECPKG_ATTR_SIZES) under Windows 10 for the Samba server.
Hmm, maybe it's not decrypting in-place? This used to work without querying the trailer size from the context.
It does encrypt/decrypt in place, however as far as I understand it in win32 data and trailer are separate buffers while gss_wrap/gss_unwrap operate on a continuous buffer, and using wrong trailer size creates a hole between data and trailer which breaks gss_wrap/gss_unwrap assumptions.
The _iov variants should be compatible with win32 and I'm pretty sure this worked before. I'd like to figure out why it doesn't work anymore.