Add CompleteAuthToken from SSPI

[michael-o]

Currently, SSPI mappings completely miss CompleteAuthToken with the appropriate security statuses SEC_I_COMPLETE_NEEDED and SEC_I_COMPLETE_AND_CONTINUE which require the aforementioned function. Moreover, the return codes from this function must be available as well.

[dblock]

Please contribute!

[michael-o]

OK, will have a look how things work in JNA to make the appropriate changes.

[dblock]

Does this also say that we're not handling SEC_I_COMPLETE_NEEDED in https://github.com/dblock/waffle? I've never seen this error in any production environment.

[michael-o]

Yes, it does. I cannot tell when this is really necessary but if it is documented, it should be applied. The secrets of this are only known to Microsoft.

[dblock]

@michael-o Actually the doc is very clear on this, https://msdn.microsoft.com/en-us/library/windows/desktop/aa374764(v=vs.85).aspx says:

So it's not necessary for Negotiate (neither NTLM nor Kerberos).

[michael-o]

That contradicts the return values for Kerberos: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375507%28v=vs.85%29.aspx

One should ask Microsoft...

The safest best would be to comply to the return values and add some comment to the code. This is clearly a dispute.

[dblock]

I think the safest would be to handle it. Either way JNA needs this function mapping which is this issue, and please feel free to contribute.

[michael-o]

This is something I have on my radar but won't happen before next month.

[matthiasblaesing]

From my POV implementing CompleteAuthToken is of limited use. From my reading it is only used in digest authentication. I'm willing to look into this, but I failed to find documentation for a simple digest handshake. If someone can point me to sample code for digest auth, I'm willing to look into this.

[michael-o]

@matthiasblaesing MSDN is contradicting itself. One place talks about Digest only, other places take about the general use.

[matthiasblaesing]

@michael-o I won't dispute that here. I could bind the function just with the MSDN/header, but I want to have a unittest for the function. The current unittests simulate the authentication headshake in process, I failed to implement that for digest and given that digest is the only known module, that definitely requires this, I need sample code, that demonstrates the correct use.

[michael-o]

Here you go: https://github.com/apache/serf/blob/trunk/auth/auth_spnego_sspi.c#l277

[matthiasblaesing]

Sorry - that code only exercises the NTLM and Negotiate packages. This won't help, as Negotiate is already used in the unittest code and does not lead to the requirement for CompleteAuthToken. As the MSDN only requires it for Digest, I'd like to code sample for that -- preferably a minimal "in-process" handshake.

[michael-o]

Oh sorry, I thought you just wanted a real use case. But as you can see, the call is added for the sake of the interface. Being in a corporate environment, I have never seen a use of Digest. SPNEGO or NTLM only. Even though, one cannot be sure that it won't be used for NTLM, we cannot look into Microsoft's code.

[matthiasblaesing]

I'm about to bind the method without testing, but working with SecBufferDesc I learned the hard way, that bindings without full testing are prone to failures. You'll end up with an untested method, that will most probably never be called, so you don't even know whether it would work.

[michael-o]

Correct. I'd just add it. If someone does have some valid Digest use case, that'd be fine.

[matthiasblaesing]

Ok, merged as announced.