On Wed May 14 17:47:33 2025 +0000, Hans Leidekker wrote:
ISC_REQ_USE_DCE_STYLE is what we use every else and it uses a different buffer layout, so I thought it was worth a shot. We want to avoid making assumptions about buffer layout here since that defeats the purpose of Negotiate (and SASL). I wonder if this should be fixed in the Negotiate provider instead. Currently we simply pass through to Kerberos/NTLM, perhaps that's not correct.
USE_DCE_STYLE doesn't work for Kerberos, at least I had to remove it in winhttp and wininet to make authorization work.
Regarding SASL buffer layout I'd guess it's documented somewhere, but I didn't manage to find it. And it took quite a bit of effort to figure it out until I compared sasl_w.c code with the code from cyrusmap.
P.S.
Also we have to address the problem when EncryptMessage() returns token less in size than 64 (KERBEROS_SECURITY_TRAILER), for me it returns 60. The problem is that sasl_decode() assumes that input buffer trailer is 64 bytes long, that leads to wrong buffer sizes passed to DecryptMessage(), and it fails. I have a patch for that.