Release v5.21

Spotted by Gijs Vermeulen.

README.md

@@ -83,29 +83,28 @@ requests are strongly dispreferred, especially for patches.
 
 Donations
 ---------
-As many of you may or may not know, wine-staging is a large set of experimental
-patches which provide various improvements to WINE, but are not quite suitable for
-upstreaming. This set of patches has been continuously managed for many years by
-us, a small group of volunteers.  The way this works is that we often review patches
-attached to various bug reports found at https://bugs.winehq.org/ which may fix bugs,
-but may not be quite suitable to be upstreamed due to needing some cleanup or more
-proper implementation. In the event that this happens, we add the patches to wine-staging
-instead, and keep them updated/maintained as well as attempt to clean them up to be upstreamed.
-We also both write and verify patches which fix various bugs that may not have patches,
-and in turn allow them run better using WINE. This includes testing on various hardware,
-games, and applications. 
 
-As this is a volunteer project which is separate from WINE and CodeWeavers, any expenses
-for applications, games, or hardware which we do not own comes out of pocket. This is the
-reason this patreon has been created. All of our work is provided publicly for free and can
-be found at https://github.com/wine-staging/wine-staging. We do not expect to be paid for
-any of the work provided, as mentioned this project is completely voluntary. However the
-proceeds from Patreon are most definitely appreciated, and go towards helping us with
-obtaining the various hardware and software mentioned. This in turn allows us to continue
-to perform testing, provide fixes, and get them upstreamed, ultimately aiming to provide a
-better experience for all WINE users.
+wine-staging is a large set of experimental patches which provide various
+improvements to WINE, but are not quite suitable for upstreaming. This set of
+patches has been continuously managed for many years by a small group of
+volunteers. The way this works is that we often review patches attached to
+various bug reports found at https://bugs.winehq.org/ which may fix bugs, but
+may not be quite suitable to be upstreamed due to needing some cleanup or more
+proper implementation. In the event that this happens, we add the patches to
+wine-staging instead, and keep them updated and maintained as well as attempt to
+clean them up to be upstreamed. We also both write and verify patches which fix
+various bugs that may not have patches, and in turn allow them run better using
+WINE. This includes testing on various hardware, games, and applications.
 
+Any expenses for applications, games, or hardware which we do not own comes out
+of pocket. In order to alleviate these expenses, we are now accepting donations.
+This in turn allows us to continue to perform testing, provide fixes, and get
+them upstreamed, ultimately aiming to provide a better experience for all WINE
+users. All of our work is provided publicly for free and can be found at
+<https://github.com/wine-staging/wine-staging>. We do not expect to be paid for
+any of the work provided, nor will donators receive any special benefits or
+compensation.
 
-For anyone interested, wine-staging Patreon can be found here:
+Donations are recieved through Patreon. Anyone interested may donate here:
 
 https://www.patreon.com/winestaging

patches/Staging/0001-kernel32-Add-winediag-message-to-show-warning-that-t.patch

@@ -1,49 +1,60 @@
-From aa9cb874b1fb89601d6a5a735b442b8a7aa7b3aa Mon Sep 17 00:00:00 2001
+From 0cf6433af95363c5fbba2af482b2ba50b863dfb7 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:44:31 +0200
-Subject: [PATCH] kernel32: Add winediag message to show warning, that this
- isn't vanilla wine.
+Subject: [PATCH] ntdll: Print a warning message specifying the wine-staging
+ branch name and version.
 
 ---
- dlls/kernel32/process.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
+ dlls/ntdll/loader.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
 
-diff --git a/dlls/kernel32/process.c b/dlls/kernel32/process.c
-index 8f506fcf1320..45bfe7fe7b5d 100644
---- a/dlls/kernel32/process.c
-+++ b/dlls/kernel32/process.c
-@@ -60,6 +60,7 @@
- 
- WINE_DEFAULT_DEBUG_CHANNEL(process);
- WINE_DECLARE_DEBUG_CHANNEL(relay);
+diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
+index 20bc3f977d1..c2187a19397 100644
+--- a/dlls/ntdll/loader.c
++++ b/dlls/ntdll/loader.c
+@@ -44,6 +44,7 @@ WINE_DECLARE_DEBUG_CHANNEL(relay);
+ WINE_DECLARE_DEBUG_CHANNEL(snoop);
+ WINE_DECLARE_DEBUG_CHANNEL(loaddll);
+ WINE_DECLARE_DEBUG_CHANNEL(imports);
 +WINE_DECLARE_DEBUG_CHANNEL(winediag);
  
- typedef struct
- {
-@@ -125,6 +126,7 @@ static inline DWORD call_process_entry( PEB *peb, LPTHREAD_START_ROUTINE entry )
+ #ifdef _WIN64
+ #define DEFAULT_SECURITY_COOKIE_64  (((ULONGLONG)0x00002b99 << 32) | 0x2ddfa232)
+@@ -3456,6 +3457,7 @@ static void process_breakpoint(void)
+     __ENDTRY
  }
- #endif
  
 +extern const char * CDECL wine_get_version(void);
- /***********************************************************************
-  *           __wine_start_process
-  *
-@@ -150,6 +152,15 @@ void CDECL __wine_start_process( LPTHREAD_START_ROUTINE entry, PEB *peb )
  
-     __TRY
-     {
-+        if (CreateEventA(0, 0, 0, "__winestaging_warn_event") && GetLastError() != ERROR_ALREADY_EXISTS)
-+        {
-+            FIXME_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
-+            FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
-+        }
-+        else
-+            WARN_(winediag)("Wine Staging %s is a testing version containing experimental patches.\n", wine_get_version());
-+
-+
-         if (!CheckRemoteDebuggerPresent( GetCurrentProcess(), &being_debugged ))
-             being_debugged = FALSE;
+ /******************************************************************
+  *		LdrInitializeThunk (NTDLL.@)
+@@ -3465,6 +3467,9 @@ static void process_breakpoint(void)
+  */
+ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR unknown3, ULONG_PTR unknown4 )
+ {
++    OBJECT_ATTRIBUTES staging_event_attr;
++    UNICODE_STRING staging_event_string;
++    HANDLE staging_event;
+     static int attach_done;
+     int i;
+     NTSTATUS status;
+@@ -3483,6 +3488,16 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR
+     entry = (void **)&context->u.s.X0;
+ #endif
  
++    RtlInitUnicodeString( &staging_event_string, L"\\__wine_staging_warn_event" );
++    InitializeObjectAttributes( &staging_event_attr, &staging_event_string, OBJ_OPENIF, NULL, NULL );
++    if (NtCreateEvent( &staging_event, EVENT_ALL_ACCESS, &staging_event_attr, NotificationEvent, FALSE ) == STATUS_SUCCESS)
++    {
++        FIXME_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
++        FIXME_(winediag)("Please mention your exact version when filing bug reports on winehq.org.\n");
++    }
++    else
++        WARN_(winediag)("wine-staging %s is a testing version containing experimental patches.\n", wine_get_version());
++
+     if (process_detaching) NtTerminateThread( GetCurrentThread(), 0 );
+ 
+     RtlEnterCriticalSection( &loader_section );
 -- 
-2.26.2
+2.28.0
 

patches/Staging/0002-winelib-Append-Staging-at-the-end-of-the-version-s.patch

@@ -1,39 +1,35 @@
-From c097870c69720ece3874ad4ff987408a8c24ffb2 Mon Sep 17 00:00:00 2001
+From ce5e1fc75139e4de9d92dfe27b4a513a96da013c Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:53:46 +0200
 Subject: [PATCH] winelib: Append '(Staging)' at the end of the version string.
 
 ---
- dlls/ntdll/Makefile.in | 2 +-
- libs/wine/Makefile.in  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ Makefile.in            | 2 +-
+ dlls/ntdll/Makefile.in | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
 
+diff --git a/Makefile.in b/Makefile.in
+index 307a95b3b1a..61019fed949 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -116,7 +116,7 @@ install-manpages:: manpages
+ # Rules for generated source files
+ 
+ dlls/ntdll/unix/version.c: dummy
+-	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || ($(RM) $@ && exit 1)
++	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
+ 
+ programs/winetest/build.rc: dummy
+ 	@build="STRINGTABLE { 1 \"`GIT_DIR=$(srcdir)/.git git rev-parse HEAD 2>/dev/null`\" }" && (echo $$build | cmp -s - $@) || echo $$build >$@ || (rm -f $@ && exit 1)
 diff --git a/dlls/ntdll/Makefile.in b/dlls/ntdll/Makefile.in
-index ebf607e9d43..de93445d4e3 100644
+index f39ffb42c6f..67847bb9392 100644
 --- a/dlls/ntdll/Makefile.in
 +++ b/dlls/ntdll/Makefile.in
-@@ -69,7 +69,7 @@ server_EXTRADEFS = \
- 	-DBIN_TO_DATADIR=\"`$(MAKEDEP) -R ${bindir} ${datadir}/wine`\"
- 
- unix/version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
- 
- dummy:
- .PHONY: dummy
-diff --git a/libs/wine/Makefile.in b/libs/wine/Makefile.in
-index fe2a2b45e58..1e55a6b1f46 100644
---- a/libs/wine/Makefile.in
-+++ b/libs/wine/Makefile.in
-@@ -100,7 +100,7 @@ libwine_LDFLAGS = $(LIBWINE_LDFLAGS)
- libwine_DEPS = $(LIBWINE_DEPENDS)
- 
- version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1  (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
- 
- dummy:
- .PHONY: dummy
+@@ -79,3 +79,4 @@ unix_loader_EXTRADEFS = \
+ 	-DBINDIR=\"${bindir}\" \
+ 	-DDLL_TO_BINDIR=\"`${MAKEDEP} -R ${dlldir} ${bindir}`\" \
+ 	-DBIN_TO_DATADIR=\"`${MAKEDEP} -R ${bindir} ${datadir}/wine`\"
++
 -- 
-2.26.2
+2.28.0
 

patches/Staging/0003-loader-Add-commandline-option-patches-to-show-the-pa.patch

@@ -1,117 +0,0 @@
-From 599c50c9e339fe04e96fdb665b3d7ccb1a7708b7 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Thu, 29 May 2014 23:43:45 +0200
-Subject: [PATCH] loader: Add commandline option --patches to show the patch
- list.
-
----
- include/wine/library.h |  1 +
- libs/wine/config.c     |  6 ++++++
- libs/wine/wine.map     |  1 +
- loader/main.c          | 42 +++++++++++++++++++++++++++++++++++++++++-
- 4 files changed, 49 insertions(+), 1 deletion(-)
-
-diff --git a/include/wine/library.h b/include/wine/library.h
-index 090b8349559..b8a4a2df576 100644
---- a/include/wine/library.h
-+++ b/include/wine/library.h
-@@ -42,6 +42,7 @@ extern "C" {
- /* configuration */
- 
- extern const char *wine_get_version(void);
-+extern const void *wine_get_patches(void);
- extern const char *wine_get_build_id(void);
- extern void wine_init_argv0_path( const char *argv0 );
- extern void wine_exec_wine_binary( const char *name, char **argv, const char *env_var );
-diff --git a/libs/wine/config.c b/libs/wine/config.c
-index f5b4c0de9af..e52739d55ad 100644
---- a/libs/wine/config.c
-+++ b/libs/wine/config.c
-@@ -515,6 +515,12 @@ const char *wine_get_version(void)
-     return PACKAGE_VERSION;
- }
- 
-+/* return the applied non-standard patches */
-+const void *wine_get_patches(void)
-+{
-+    return NULL;
-+}
-+
- /* return the build id string */
- const char *wine_get_build_id(void)
- {
-diff --git a/libs/wine/wine.map b/libs/wine/wine.map
-index 1143b129734..55f874d3e74 100644
---- a/libs/wine/wine.map
-+++ b/libs/wine/wine.map
-@@ -13,6 +13,7 @@ WINE_1.0
-     wine_exec_wine_binary;
-     wine_get_build_id;
-     wine_get_version;
-+    wine_get_patches;
-     wine_init;
-     wine_init_argv0_path;
-     wine_mmap_add_reserved_area;
-diff --git a/loader/main.c b/loader/main.c
-index 0e6b6f66b50..24bcfff8c4c 100644
---- a/loader/main.c
-+++ b/loader/main.c
-@@ -55,7 +55,8 @@ static void check_command_line( int argc, char *argv[] )
-     static const char usage[] =
-         "Usage: wine PROGRAM [ARGUMENTS...]   Run the specified program\n"
-         "       wine --help                   Display this help and exit\n"
--        "       wine --version                Output version information and exit";
-+        "       wine --version                Output version information and exit\n"
-+        "       wine --patches                Output patch information and exit";
- 
-     if (argc <= 1)
-     {
-@@ -72,6 +73,45 @@ static void check_command_line( int argc, char *argv[] )
-         printf( "%s\n", wine_get_build_id() );
-         exit(0);
-     }
-+    if (!strcmp( argv[1], "--patches" ))
-+    {
-+        const struct
-+        {
-+            const char *author;
-+            const char *subject;
-+            int revision;
-+        }
-+        *next, *cur = wine_get_patches();
-+
-+        if (!cur)
-+        {
-+            fprintf( stderr, "Patchlist not available.\n" );
-+            exit(1);
-+        }
-+
-+        while (cur->author)
-+        {
-+            next = cur + 1;
-+            while (next->author)
-+            {
-+                if (strcmp( cur->author, next->author )) break;
-+                next++;
-+            }
-+
-+            printf( "%s (%d):\n", cur->author, (int)(next - cur) );
-+            while (cur < next)
-+            {
-+                printf( "      %s", cur->subject );
-+                if (cur->revision != 1)
-+                    printf( " [rev %d]", cur->revision );
-+                printf( "\n" );
-+                cur++;
-+            }
-+            printf( "\n" );
-+        }
-+
-+        exit(0);
-+    }
- }
- 
- 
--- 
-2.26.2
-

patches/Staging/definition

@@ -0,0 +1 @@
+#Depends: ntdll-FLS_Callbacks

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -1,334 +0,0 @@
-From 1b222275e7faf71ae1e5c94e297004055ec6f82f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:33:14 +0200
-Subject: [PATCH] ntdll: Implement NtFilterToken.
-
----
- dlls/ntdll/ntdll.spec      |  2 +-
- dlls/ntdll/unix/security.c | 64 +++++++++++++++++++++++++++++
- include/winnt.h            |  5 +++
- include/winternl.h         |  1 +
- server/named_pipe.c        |  2 +-
- server/process.c           |  2 +-
- server/protocol.def        | 10 +++++
- server/security.h          |  4 +-
- server/token.c             | 84 +++++++++++++++++++++++++++++++++++++-
- 9 files changed, 168 insertions(+), 6 deletions(-)
-
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index a3bc57716da..f604c8a3c35 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -208,7 +208,7 @@
- # @ stub NtEnumerateSystemEnvironmentValuesEx
- @ stdcall -syscall NtEnumerateValueKey(long long long ptr long ptr)
- @ stub NtExtendSection
--# @ stub NtFilterToken
-+@ stdcall -syscall NtFilterToken(long long ptr ptr ptr ptr)
- @ stdcall -syscall NtFindAtom(ptr long ptr)
- @ stdcall -syscall NtFlushBuffersFile(long ptr)
- @ stdcall -syscall NtFlushInstructionCache(long ptr long)
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index daecc5e0591..d063d43d6d4 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -604,6 +604,70 @@ NTSTATUS WINAPI NtAdjustPrivilegesToken( HANDLE token, BOOLEAN disable, TOKEN_PR
- }
- 
- 
-+/***********************************************************************
-+ *             NtFilterToken  (NTDLL.@)
-+ */
-+NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
-+                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
-+                               HANDLE *new_token )
-+{
-+    data_size_t privileges_len = 0;
-+    data_size_t sids_len = 0;
-+    SID *sids = NULL;
-+    NTSTATUS status;
-+
-+    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
-+           restrict_sids, new_token );
-+
-+    if (flags)
-+        FIXME( "flags %x unsupported\n", flags );
-+
-+    if (restrict_sids)
-+        FIXME( "support for restricting sids not yet implemented\n" );
-+
-+    if (privileges)
-+        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
-+
-+    if (disable_sids)
-+    {
-+        DWORD len, i;
-+        BYTE *tmp;
-+
-+        for (i = 0; i < disable_sids->GroupCount; i++)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            sids_len += offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+        }
-+
-+        sids = malloc( sids_len );
-+        if (!sids) return STATUS_NO_MEMORY;
-+
-+        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            len = offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+            memcpy( tmp, disable_sids->Groups[i].Sid, len );
-+        }
-+    }
-+
-+    SERVER_START_REQ( filter_token )
-+    {
-+        req->handle          = wine_server_obj_handle( token );
-+        req->flags           = flags;
-+        req->privileges_size = privileges_len;
-+        wine_server_add_data( req, privileges->Privileges, privileges_len );
-+        wine_server_add_data( req, sids, sids_len );
-+        status = wine_server_call( req );
-+        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
-+    }
-+    SERVER_END_REQ;
-+
-+    free( sids );
-+    return status;
-+}
-+
-+
-+
- /***********************************************************************
-  *             NtPrivilegeCheck  (NTDLL.@)
-  */
-diff --git a/include/winnt.h b/include/winnt.h
-index e1cf78420a6..da17fe3e330 100644
---- a/include/winnt.h
-+++ b/include/winnt.h
-@@ -4221,6 +4221,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
- 					TOKEN_ADJUST_SESSIONID | \
- 					TOKEN_ADJUST_DEFAULT )
- 
-+#define DISABLE_MAX_PRIVILEGE 0x1
-+#define SANDBOX_INERT         0x2
-+#define LUA_TOKEN             0x4
-+#define WRITE_RESTRICTED      0x8
-+
- #ifndef _SECURITY_DEFINED
- #define _SECURITY_DEFINED
- 
-diff --git a/include/winternl.h b/include/winternl.h
-index b3fbb90feff..4687a410ca4 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2749,6 +2749,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
-+NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
- NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
-diff --git a/server/named_pipe.c b/server/named_pipe.c
-index b259abb8de4..4cd4d7dc4a8 100644
---- a/server/named_pipe.c
-+++ b/server/named_pipe.c
-@@ -1142,7 +1142,7 @@ static int pipe_server_ioctl( struct fd *fd, ioctl_code_t code, struct async *as
-         if (current->process->token) /* FIXME: use the client token */
-         {
-             struct token *token;
--            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL )))
-+            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL, NULL, 0, NULL, 0 )))
-                 return 0;
-             if (current->token) release_object( current->token );
-             current->token = token;
-diff --git a/server/process.c b/server/process.c
-index 5e587b28cbe..406167e825b 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -577,7 +577,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
-+        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-diff --git a/server/protocol.def b/server/protocol.def
-index a121c371c19..ee07b1eca14 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3263,6 +3263,16 @@ enum caret_state
-     obj_handle_t  new_handle; /* duplicated handle */
- @END
- 
-+@REQ(filter_token)
-+    obj_handle_t  handle;          /* handle to the token to duplicate */
-+    unsigned int  flags;           /* flags */
-+    data_size_t   privileges_size; /* size of privileges */
-+    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
-+    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
-+@REPLY
-+    obj_handle_t  new_handle;      /* filtered handle */
-+@END
-+
- @REQ(access_check)
-     obj_handle_t    handle; /* handle to the token */
-     unsigned int    desired_access; /* desired access to the object */
-diff --git a/server/security.h b/server/security.h
-index 606dbb2ab2c..6c337143c3d 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -56,7 +56,9 @@ extern const PSID security_high_label_sid;
- extern struct token *token_create_admin(void);
- extern int token_assign_label( struct token *token, PSID label );
- extern struct token *token_duplicate( struct token *src_token, unsigned primary,
--                                      int impersonation_level, const struct security_descriptor *sd );
-+                                      int impersonation_level, const struct security_descriptor *sd,
-+                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                                      const SID *filter_groups, unsigned int group_count );
- extern int token_check_privileges( struct token *token, int all_required,
-                                    const LUID_AND_ATTRIBUTES *reqprivs,
-                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
-diff --git a/server/token.c b/server/token.c
-index 2fa95e17aaf..38a4c203d54 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -285,6 +285,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
-     return TRUE;
- }
- 
-+static unsigned int get_sid_count( const SID *sid, data_size_t size )
-+{
-+    unsigned int count;
-+
-+    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
-+    {
-+        size -= security_sid_len( sid );
-+        sid = (const SID *)((char *)sid + security_sid_len( sid ));
-+    }
-+
-+    return count;
-+}
-+
- /* checks whether all members of a security descriptor fit inside the size
-  * of memory specified */
- int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
-@@ -626,8 +639,36 @@ static struct token *create_token( unsigned primary, const SID *user,
-     return token;
- }
- 
-+static int filter_group( struct group *group, const SID *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (security_equal_sid( &group->sid, filter )) return 1;
-+        filter = (const SID *)((char *)filter + security_sid_len( filter ));
-+    }
-+
-+    return 0;
-+}
-+
-+static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
-+            return 1;
-+    }
-+
-+    return 0;
-+}
-+
- struct token *token_duplicate( struct token *src_token, unsigned primary,
--                               int impersonation_level, const struct security_descriptor *sd )
-+                               int impersonation_level, const struct security_descriptor *sd,
-+                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                               const SID *filter_groups, unsigned int group_count)
- {
-     const luid_t *modified_id =
-         primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -663,6 +704,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-             return NULL;
-         }
-         memcpy( newgroup, group, size );
-+        if (filter_group( group, filter_groups, group_count ))
-+        {
-+            newgroup->enabled = 0;
-+            newgroup->def = 0;
-+            newgroup->deny_only = 1;
-+        }
-         list_add_tail( &token->groups, &newgroup->entry );
-         if (src_token->primary_group == &group->sid)
-         {
-@@ -674,11 +721,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
- 
-     /* copy privileges */
-     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-+    {
-+        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
-         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
-         {
-             release_object( token );
-             return NULL;
-         }
-+    }
- 
-     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
-                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
-@@ -1311,7 +1361,7 @@ DECL_HANDLER(duplicate_token)
-                                                      TOKEN_DUPLICATE,
-                                                      &token_ops )))
-     {
--        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
-+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
-             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-@@ -1321,6 +1371,36 @@ DECL_HANDLER(duplicate_token)
-     }
- }
- 
-+/* creates a restricted version of a token */
-+DECL_HANDLER(filter_token)
-+{
-+    struct token *src_token;
-+
-+    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                     TOKEN_DUPLICATE,
-+                                                     &token_ops )))
-+    {
-+        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
-+        unsigned int priv_count, group_count;
-+        const SID *filter_groups;
-+        struct token *token;
-+
-+        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
-+        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
-+        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
-+
-+        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
-+                                 filter_privileges, priv_count, filter_groups, group_count );
-+        if (token)
-+        {
-+            unsigned int access = get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
-+            release_object( token );
-+        }
-+        release_object( src_token );
-+    }
-+}
-+
- /* checks the specified privileges are held by the token */
- DECL_HANDLER(check_token_privileges)
- {
--- 
-2.27.0
-

patches/advapi32-CreateRestrictedToken/0002-advapi32-Implement-CreateRestrictedToken.patch

@@ -1,132 +0,0 @@
-From 3c1f5962482e7acf531f57f49d923d9c4e5278b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:51:57 +0200
-Subject: [PATCH] advapi32: Implement CreateRestrictedToken.
-
----
- dlls/kernelbase/security.c | 103 ++++++++++++++++++++++++++++++-------
- 1 file changed, 84 insertions(+), 19 deletions(-)
-
-diff --git a/dlls/kernelbase/security.c b/dlls/kernelbase/security.c
-index 2e75e81ed77..97f6ee6a2fd 100644
---- a/dlls/kernelbase/security.c
-+++ b/dlls/kernelbase/security.c
-@@ -592,31 +592,96 @@ exit:
-     return ret;
- }
- 
-+static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
-+{
-+    TOKEN_GROUPS *groups;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *groups_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
-+                                        count * sizeof(SID_AND_ATTRIBUTES));
-+    if (!groups)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    groups->GroupCount = count;
-+    for (i = 0; i < count; i++)
-+        groups->Groups[i] = sids[i];
-+
-+    *groups_ret = groups;
-+    return TRUE;
-+}
-+
-+static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
-+{
-+    TOKEN_PRIVILEGES *privileges;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *privileges_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
-+                                                count * sizeof(LUID_AND_ATTRIBUTES));
-+    if (!privileges)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    privileges->PrivilegeCount = count;
-+    for (i = 0; i < count; i++)
-+        privileges->Privileges[i] = privs[i];
-+
-+    *privileges_ret = privileges;
-+    return TRUE;
-+}
-+
- /*************************************************************************
-  * CreateRestrictedToken    (kernelbase.@)
-  */
--BOOL WINAPI CreateRestrictedToken( HANDLE token, DWORD flags,
--                                   DWORD disable_count, PSID_AND_ATTRIBUTES disable_sids,
--                                   DWORD delete_count, PLUID_AND_ATTRIBUTES delete_privs,
--                                   DWORD restrict_count, PSID_AND_ATTRIBUTES restrict_sids, PHANDLE ret )
-+BOOL WINAPI CreateRestrictedToken( HANDLE baseToken, DWORD flags,
-+                                   DWORD nDisableSids, PSID_AND_ATTRIBUTES disableSids,
-+                                   DWORD nDeletePrivs, PLUID_AND_ATTRIBUTES deletePrivs,
-+                                   DWORD nRestrictSids, PSID_AND_ATTRIBUTES restrictSids, PHANDLE newToken )
- {
--    TOKEN_TYPE type;
--    SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
--    DWORD size;
-+    TOKEN_PRIVILEGES *delete_privs = NULL;
-+    TOKEN_GROUPS *disable_groups = NULL;
-+    TOKEN_GROUPS *restrict_sids = NULL;
-+    BOOL ret = FALSE;
- 
--    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
--          token, flags, disable_count, disable_sids, delete_count, delete_privs,
--          restrict_count, restrict_sids, ret );
-+    TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
-+          baseToken, flags, nDisableSids, disableSids,
-+          nDeletePrivs, deletePrivs,
-+          nRestrictSids, restrictSids,
-+          newToken);
-+
-+    if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
-+        goto done;
-+
-+    if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
-+        goto done;
-+
-+    if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
-+        goto done;
-+
-+    ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
-+
-+done:
-+    heap_free(disable_groups);
-+    heap_free(delete_privs);
-+    heap_free(restrict_sids);
-+    return ret;
- 
--    size = sizeof(type);
--    if (!GetTokenInformation( token, TokenType, &type, size, &size )) return FALSE;
--    if (type == TokenImpersonation)
--    {
--        size = sizeof(level);
--        if (!GetTokenInformation( token, TokenImpersonationLevel, &level, size, &size ))
--            return FALSE;
--    }
--    return DuplicateTokenEx( token, MAXIMUM_ALLOWED, NULL, level, type, ret );
- }
- 
- /******************************************************************************
--- 
-2.20.1
-

patches/advapi32-CreateRestrictedToken/definition

@@ -1 +0,0 @@
-Fixes: [25834] Implement advapi32.CreateRestrictedToken

patches/advapi32-Token_Integrity_Level/0006-ntdll-Add-function-to-create-new-tokens-for-elevatio.patch

@@ -1,4 +1,4 @@
-From cdf1f84a65198df1ac4162f868f35971e5e1a2a1 Mon Sep 17 00:00:00 2001
+From c47977a8bbd739483589d1f01cfece435be1c100 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 01:45:29 +0200
 Subject: [PATCH] ntdll: Add function to create new tokens for elevation
@@ -14,10 +14,10 @@ Subject: [PATCH] ntdll: Add function to create new tokens for elevation
  6 files changed, 117 insertions(+)
 
 diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index f604c8a3c35..850a40412d0 100644
+index 0997c310110..8e3786e1972 100644
 --- a/dlls/ntdll/ntdll.spec
 +++ b/dlls/ntdll/ntdll.spec
-@@ -1599,6 +1599,9 @@
+@@ -1600,6 +1600,9 @@
  # Virtual memory
  @ cdecl __wine_locked_recvmsg(long ptr long)
  
@@ -28,12 +28,12 @@ index f604c8a3c35..850a40412d0 100644
  @ cdecl wine_get_version()
  @ cdecl wine_get_build_id()
 diff --git a/dlls/ntdll/ntdll_misc.h b/dlls/ntdll/ntdll_misc.h
-index 1f27cd100a7..769d6facc9f 100644
+index 63ceac42e94..5a98501381b 100644
 --- a/dlls/ntdll/ntdll_misc.h
 +++ b/dlls/ntdll/ntdll_misc.h
-@@ -68,6 +68,9 @@ extern void init_locale( HMODULE module ) DECLSPEC_HIDDEN;
- extern void init_user_process_params(void) DECLSPEC_HIDDEN;
+@@ -67,6 +67,9 @@ extern void init_user_process_params(void) DECLSPEC_HIDDEN;
  extern NTSTATUS restart_process( RTL_USER_PROCESS_PARAMETERS *params, NTSTATUS status ) DECLSPEC_HIDDEN;
+ extern void CDECL DECLSPEC_NORETURN signal_start_thread( CONTEXT *ctx ) DECLSPEC_HIDDEN;
  
 +/* token */
 +extern HANDLE CDECL __wine_create_default_token(BOOL admin);
@@ -71,10 +71,10 @@ index 77ba5b371e2..3e91a1fa9c4 100644
   *           restart_process
   */
 diff --git a/server/protocol.def b/server/protocol.def
-index 4d37a0df348..56b52dd2231 100644
+index 30a102d7b82..a9308904afc 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3581,6 +3581,14 @@ struct handle_info
+@@ -3481,6 +3481,14 @@ struct handle_info
  @END
  
  
@@ -215,5 +215,5 @@ index c4f1cd943c2..970ed1838da 100644
 +    }
 +}
 -- 
-2.27.0
+2.28.0
 

patches/advapi32-Token_Integrity_Level/0008-ntdll-Implement-process-token-elevation-through-mani.patch

@@ -1,4 +1,4 @@
-From f058e0e1425aab869a1a7d0db0446944af9bc8d6 Mon Sep 17 00:00:00 2001
+From 51cde3dff5de27d1aebc964a4802758534d56773 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sat, 5 Aug 2017 03:39:55 +0200
 Subject: [PATCH] ntdll: Implement process token elevation through manifests.
@@ -74,7 +74,7 @@ index 6290cbcb4e6..9a8f13901b2 100644
      RemoveEntryList( &wm->ldr.InLoadOrderLinks );
      InsertHeadList( &peb->LdrData->InLoadOrderModuleList, &wm->ldr.InLoadOrderLinks );
 diff --git a/server/process.c b/server/process.c
-index 7875db09801..d7334ffc959 100644
+index fa8495511e0..df72efdecc8 100644
 --- a/server/process.c
 +++ b/server/process.c
 @@ -1086,6 +1086,14 @@ int set_process_debug_flag( struct process *process, int flag )
@@ -93,7 +93,7 @@ index 7875db09801..d7334ffc959 100644
  DECL_HANDLER(new_process)
  {
 diff --git a/server/process.h b/server/process.h
-index 3944a67d571..3cbf70fda21 100644
+index 0fdf070b78e..43e8cc1ad7e 100644
 --- a/server/process.h
 +++ b/server/process.h
 @@ -129,6 +129,7 @@ extern void kill_console_processes( struct thread *renderer, int exit_code );
@@ -103,12 +103,12 @@ index 3944a67d571..3cbf70fda21 100644
 +extern void replace_process_token( struct process *process, struct token *token );
  
  /* console functions */
- extern obj_handle_t inherit_console( struct thread *parent_thread, struct process *parent,
+ extern obj_handle_t inherit_console( struct thread *parent_thread, obj_handle_t handle,
 diff --git a/server/protocol.def b/server/protocol.def
-index b84d1d10004..65bcb99d486 100644
+index a9308904afc..8c40fba8d0a 100644
 --- a/server/protocol.def
 +++ b/server/protocol.def
-@@ -3526,6 +3526,13 @@ struct handle_info
+@@ -3489,6 +3489,13 @@ struct handle_info
  @END
  
  
@@ -145,5 +145,5 @@ index 970ed1838da..1c1d49989b3 100644
 +    }
 +}
 -- 
-2.27.0
+2.28.0
 

patches/advapi32-Token_Integrity_Level/0010-server-Implement-support-for-creating-processes-usin.patch

@@ -1,310 +0,0 @@
-From 9c61f6acfa2c43e43f07fae1a5cd447573b9529b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sun, 6 Aug 2017 02:08:05 +0200
-Subject: [PATCH] server: Implement support for creating processes using a
- token.
-
----
- dlls/kernelbase/process.c | 24 +++++++++++++-----------
- dlls/ntdll/unix/process.c |  1 +
- server/process.c          | 39 +++++++++++++++++++++++++++++++++++----
- server/process.h          |  2 +-
- server/protocol.def       |  1 +
- server/request.c          |  2 +-
- server/security.h         |  2 ++
- server/token.c            | 11 +++++++++++
- 8 files changed, 65 insertions(+), 17 deletions(-)
-
-diff --git a/dlls/kernelbase/process.c b/dlls/kernelbase/process.c
-index a3b168543fc..b5c8b47239d 100644
---- a/dlls/kernelbase/process.c
-+++ b/dlls/kernelbase/process.c
-@@ -244,7 +244,7 @@ static RTL_USER_PROCESS_PARAMETERS *create_process_params( const WCHAR *filename
- /***********************************************************************
-  *           create_nt_process
-  */
--static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_nt_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                    BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                    RTL_USER_PROCESS_INFORMATION *info, HANDLE parent )
- {
-@@ -259,7 +259,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
-         status = RtlCreateUserProcess( &nameW, OBJ_CASE_INSENSITIVE, params,
-                                        psa ? psa->lpSecurityDescriptor : NULL,
-                                        tsa ? tsa->lpSecurityDescriptor : NULL,
--                                       parent, inherit, 0, 0, info );
-+                                       parent, inherit, 0, token, info );
-         RtlFreeUnicodeString( &nameW );
-     }
-     return status;
-@@ -269,7 +269,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
- /***********************************************************************
-  *           create_vdm_process
-  */
--static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_vdm_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -290,7 +290,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-               winevdm, params->ImagePathName.Buffer, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, winevdm );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     HeapFree( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -299,7 +299,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
- /***********************************************************************
-  *           create_cmd_process
-  */
--static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_cmd_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -318,7 +318,7 @@ static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-     swprintf( newcmdline, len, L"%s /s/c \"%s\"", comspec, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, comspec );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     RtlFreeHeap( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -450,7 +450,9 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
- 
-     TRACE( "app %s cmdline %s\n", debugstr_w(app_name), debugstr_w(cmd_line) );
- 
--    if (token) FIXME( "Creating a process with a token is not yet implemented\n" );
-+    /* FIXME: Starting a process which requires admin rights should fail
-+     * with ERROR_ELEVATION_REQUIRED when no token is passed. */
-+
-     if (new_token) FIXME( "No support for returning created process token\n" );
- 
-     if (app_name)
-@@ -523,7 +525,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         }
-     }
- 
--    status = create_nt_process( process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-+    status = create_nt_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-     switch (status)
-     {
-     case STATUS_SUCCESS:
-@@ -532,7 +534,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-     case STATUS_INVALID_IMAGE_NE_FORMAT:
-     case STATUS_INVALID_IMAGE_PROTECT:
-         TRACE( "starting %s as Win16/DOS binary\n", debugstr_w(app_name) );
--        status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+        status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         break;
-     case STATUS_INVALID_IMAGE_NOT_MZ:
-         /* check for .com or .bat extension */
-@@ -540,12 +542,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         if (!wcsicmp( p, L".com" ) || !wcsicmp( p, L".pif" ))
-         {
-             TRACE( "starting %s as DOS binary\n", debugstr_w(app_name) );
--            status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         else if (!wcsicmp( p, L".bat" ) || !wcsicmp( p, L".cmd" ))
-         {
-             TRACE( "starting %s as batch binary\n", debugstr_w(app_name) );
--            status = create_cmd_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_cmd_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         break;
-     }
-diff --git a/dlls/ntdll/unix/process.c b/dlls/ntdll/unix/process.c
-index cca6c2747bf..379a0036b63 100644
---- a/dlls/ntdll/unix/process.c
-+++ b/dlls/ntdll/unix/process.c
-@@ -827,6 +827,7 @@ NTSTATUS WINAPI NtCreateUserProcess( HANDLE *process_handle_ptr, HANDLE *thread_
-         req->access         = process_access;
-         req->cpu            = pe_info.cpu;
-         req->info_size      = startup_info_size;
-+        req->token          = wine_server_obj_handle( token );
-         wine_server_add_data( req, objattr, attr_len );
-         wine_server_add_data( req, startup_info, startup_info_size );
-         wine_server_add_data( req, params->Environment, env_size );
-diff --git a/server/process.c b/server/process.c
-index 52604ec4d61..047916ffd09 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -499,7 +499,7 @@ static void start_sigkill_timer( struct process *process )
- /* create a new process */
- /* if the function fails the fd is closed */
- struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                const struct security_descriptor *sd )
-+                                const struct security_descriptor *sd, struct token *token )
- {
-     struct process *process;
- 
-@@ -576,7 +576,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-+        process->token = token_duplicate( token ? token : parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-@@ -1132,6 +1132,7 @@ DECL_HANDLER(new_process)
-     const struct security_descriptor *sd;
-     const struct object_attributes *objattr = get_req_object_attributes( &sd, &name, NULL );
-     struct process *process = NULL;
-+    struct token *token = NULL;
-     struct process *parent;
-     struct thread *parent_thread = current;
-     int socket_fd = thread_get_inflight_fd( current, req->socket_fd );
-@@ -1185,10 +1186,39 @@ DECL_HANDLER(new_process)
-         return;
-     }
- 
-+    if (req->token)
-+    {
-+        token = get_token_from_handle( req->token, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY );
-+        if (!token)
-+        {
-+            close( socket_fd );
-+            return;
-+        }
-+        if (!token_is_primary( token ))
-+        {
-+            set_error( STATUS_BAD_TOKEN_TYPE );
-+            release_object( token );
-+            close( socket_fd );
-+            return;
-+        }
-+    }
-+
-+    if (!req->info_size)  /* create an orphaned process */
-+    {
-+        if ((process = create_process( socket_fd, NULL, 0, sd, token )))
-+        {
-+            create_thread( -1, process, NULL );
-+            release_object( process );
-+        }
-+        if (token) release_object( token );
-+        return;
-+    }
-+
-     /* build the startup info for a new process */
-     if (!(info = alloc_object( &startup_info_ops )))
-     {
-         close( socket_fd );
-+        if (token) release_object( token );
-         release_object( parent );
-         return;
-     }
-@@ -1236,7 +1266,7 @@ DECL_HANDLER(new_process)
- #undef FIXUP_LEN
-     }
- 
--    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd ))) goto done;
-+    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd, token ))) goto done;
- 
-     process->startup_info = (struct startup_info *)grab_object( info );
- 
-@@ -1297,6 +1327,7 @@ DECL_HANDLER(new_process)
-     reply->handle = alloc_handle_no_access_check( current->process, process, req->access, objattr->attributes );
- 
-  done:
-+    if (token) release_object( token );
-     if (process) release_object( process );
-     release_object( parent );
-     release_object( info );
-@@ -1330,7 +1361,7 @@ DECL_HANDLER(exec_process)
-         close( socket_fd );
-         return;
-     }
--    if (!(process = create_process( socket_fd, NULL, 0, NULL ))) return;
-+    if (!(process = create_process( socket_fd, NULL, 0, NULL, NULL ))) return;
-     create_thread( -1, process, NULL );
-     release_object( process );
- }
-diff --git a/server/process.h b/server/process.h
-index dfe5c4e52d8..61b83abf693 100644
---- a/server/process.h
-+++ b/server/process.h
-@@ -118,7 +118,7 @@ extern unsigned int alloc_ptid( void *ptr );
- extern void free_ptid( unsigned int id );
- extern void *get_ptid_entry( unsigned int id );
- extern struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                       const struct security_descriptor *sd );
-+                                       const struct security_descriptor *sd, struct token *token );
- extern data_size_t init_process( struct thread *thread );
- extern struct thread *get_process_first_thread( struct process *process );
- extern struct process *get_process_from_id( process_id_t id );
-diff --git a/server/protocol.def b/server/protocol.def
-index 901c380b721..8c86967609f 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -801,6 +801,7 @@ struct rawinput_device
-     unsigned int access;         /* access rights for process object */
-     client_cpu_t cpu;            /* CPU that the new process will use */
-     data_size_t  info_size;      /* size of startup info */
-+    obj_handle_t token;          /* token for the new process */
-     VARARG(objattr,object_attributes);   /* object attributes */
-     VARARG(info,startup_info,info_size); /* startup information */
-     VARARG(env,unicode_str);     /* environment for new process */
-diff --git a/server/request.c b/server/request.c
-index 4c1f30a5fe7..321bb6cfa81 100644
---- a/server/request.c
-+++ b/server/request.c
-@@ -582,7 +582,7 @@ static void master_socket_poll_event( struct fd *fd, int event )
-         int client = accept( get_unix_fd( master_socket->fd ), (struct sockaddr *) &dummy, &len );
-         if (client == -1) return;
-         fcntl( client, F_SETFL, O_NONBLOCK );
--        if ((process = create_process( client, NULL, 0, NULL )))
-+        if ((process = create_process( client, NULL, 0, NULL, NULL )))
-         {
-             create_thread( -1, process, NULL );
-             release_object( process );
-diff --git a/server/security.h b/server/security.h
-index 21e90ccf23f..32dfe5f8db9 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -67,6 +67,8 @@ extern const ACL *token_get_default_dacl( struct token *token );
- extern const SID *token_get_user( struct token *token );
- extern const SID *token_get_primary_group( struct token *token );
- extern int token_sid_present( struct token *token, const SID *sid, int deny);
-+extern struct token *get_token_from_handle( obj_handle_t handle, unsigned int access );
-+extern int token_is_primary( struct token *token );
- 
- static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
- {
-diff --git a/server/token.c b/server/token.c
-index 1c1d49989b3..2f466aa1b25 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -843,6 +843,12 @@ int token_assign_label( struct token *token, PSID label )
-     return ret;
- }
- 
-+struct token *get_token_from_handle( obj_handle_t handle, unsigned int access )
-+{
-+    return (struct token *)get_handle_obj( current->process, handle,
-+                                           access, &token_ops );
-+}
-+
- struct token *token_create_admin( void )
- {
-     struct token *token = NULL;
-@@ -1269,6 +1275,11 @@ const SID *token_get_primary_group( struct token *token )
-     return token->primary_group;
- }
- 
-+int token_is_primary( struct token *token )
-+{
-+    return token->primary;
-+}
-+
- int check_object_access(struct object *obj, unsigned int *access)
- {
-     GENERIC_MAPPING mapping;
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/definition

@@ -1,4 +1,7 @@
 Fixes: [40613] Basic implementation for token integrity levels and UAC handling
 Fixes: [39262] Run explorer.exe as unevaluated process
-Depends: advapi32-CreateRestrictedToken
 Depends: Staging
+# Broken due to ntdll.so <- ntdll.dll imports. This isn't particularly difficult
+# to fix, but it was already broken for some more obscure reason, and the whole
+# patch set needs to be rewritten anyway.
+Disabled: true

patches/bcrypt-ECDHSecretAgreement/0001-bcrypt-Allow-multiple-backends-to-coexist.patch

@@ -0,0 +1,329 @@
+From ef218059ebea8a860dea6b12a7b28984c51d2777 Mon Sep 17 00:00:00 2001
+From: Derek Lesho <dlesho@codeweavers.com>
+Date: Fri, 2 Oct 2020 11:29:24 -0500
+Subject: [PATCH] bcrypt: Allow multiple backends to coexist.
+
+Signed-off-by: Derek Lesho <dlesho@codeweavers.com>
+---
+ dlls/bcrypt/Makefile.in       |   3 +-
+ dlls/bcrypt/bcrypt_internal.h |   3 +
+ dlls/bcrypt/gnutls.c          |  32 ++++--
+ dlls/bcrypt/macos.c           |  18 +++-
+ dlls/bcrypt/unixlib.c         | 194 ++++++++++++++++++++++++++++++++++
+ 5 files changed, 235 insertions(+), 15 deletions(-)
+ create mode 100644 dlls/bcrypt/unixlib.c
+
+diff --git a/dlls/bcrypt/Makefile.in b/dlls/bcrypt/Makefile.in
+index 24803fb2d7c..46a20d473dd 100644
+--- a/dlls/bcrypt/Makefile.in
++++ b/dlls/bcrypt/Makefile.in
+@@ -11,6 +11,7 @@ C_SRCS = \
+ 	macos.c \
+ 	md2.c \
+ 	sha256.c \
+-	sha512.c
++	sha512.c \
++	unixlib.c
+ 
+ RC_SRCS = version.rc
+diff --git a/dlls/bcrypt/bcrypt_internal.h b/dlls/bcrypt/bcrypt_internal.h
+index 463672db470..90551868cf0 100644
+--- a/dlls/bcrypt/bcrypt_internal.h
++++ b/dlls/bcrypt/bcrypt_internal.h
+@@ -215,4 +215,7 @@ struct key_funcs
+     NTSTATUS (CDECL *key_import_ecc)( struct key *, UCHAR *, ULONG );
+ };
+ 
++struct key_funcs *gnutls_lib_init(DWORD reason);
++struct key_funcs *macos_lib_init(DWORD reason);
++
+ #endif /* __BCRYPT_INTERNAL_H */
+diff --git a/dlls/bcrypt/gnutls.c b/dlls/bcrypt/gnutls.c
+index 5ed51e8704c..7a1eada329c 100644
+--- a/dlls/bcrypt/gnutls.c
++++ b/dlls/bcrypt/gnutls.c
+@@ -347,9 +347,12 @@ fail:
+ 
+ static void gnutls_uninitialize(void)
+ {
+-    pgnutls_global_deinit();
+-    dlclose( libgnutls_handle );
+-    libgnutls_handle = NULL;
++    if (libgnutls_handle)
++    {
++        pgnutls_global_deinit();
++        dlclose( libgnutls_handle );
++        libgnutls_handle = NULL;
++    }
+ }
+ 
+ struct buffer
+@@ -1848,19 +1851,28 @@ static const struct key_funcs key_funcs =
+     key_import_ecc
+ };
+ 
+-NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++struct key_funcs * gnutls_lib_init( DWORD reason )
+ {
+     switch (reason)
+     {
+     case DLL_PROCESS_ATTACH:
+-        if (!gnutls_initialize()) return STATUS_DLL_NOT_FOUND;
+-        *(const struct key_funcs **)ptr_out = &key_funcs;
+-        break;
++        if (!gnutls_initialize()) return NULL;
++        return &key_funcs;
+     case DLL_PROCESS_DETACH:
+         gnutls_uninitialize();
+-        break;
+     }
+-    return STATUS_SUCCESS;
++    return NULL;
+ }
+ 
+-#endif /* HAVE_GNUTLS_CIPHER_INIT */
++#else /* HAVE_GNUTLS_CIPHER_INIT */
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "winternl.h"
++
++struct key_funcs * gnutls_lib_init( DWORD reason )
++{
++    return NULL;
++}
++#endif
+diff --git a/dlls/bcrypt/macos.c b/dlls/bcrypt/macos.c
+index d8bba46ad5c..8df5ca8645f 100644
+--- a/dlls/bcrypt/macos.c
++++ b/dlls/bcrypt/macos.c
+@@ -287,11 +287,21 @@ static const struct key_funcs key_funcs =
+     key_import_ecc
+ };
+ 
+-NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++struct key_funcs * macos_lib_init( DWORD reason )
+ {
+-    if (reason != DLL_PROCESS_ATTACH) return STATUS_SUCCESS;
+-    *(const struct key_funcs **)ptr_out = &key_funcs;
+-    return STATUS_SUCCESS;
++    if (reason != DLL_PROCESS_ATTACH) return NULL;
++    return &key_funcs;
+ }
+ 
++#else
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "winternl.h"
++
++struct key_funcs * macos_lib_init( DWORD reason )
++{
++    return NULL;
++}
+ #endif
+diff --git a/dlls/bcrypt/unixlib.c b/dlls/bcrypt/unixlib.c
+new file mode 100644
+index 00000000000..a158ec1630a
+--- /dev/null
++++ b/dlls/bcrypt/unixlib.c
+@@ -0,0 +1,194 @@
++#if 0
++#pragma makedep unix
++#endif
++
++#include "config.h"
++#include "wine/port.h"
++
++#include <stdarg.h>
++
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "ntsecapi.h"
++#include "bcrypt.h"
++
++#include "bcrypt_internal.h"
++
++#include "wine/debug.h"
++#include "wine/unicode.h"
++
++#if defined(HAVE_COMMONCRYPTO_COMMONCRYPTOR_H) && MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 || defined(HAVE_GNUTLS_CIPHER_INIT)
++WINE_DEFAULT_DEBUG_CHANNEL(bcrypt);
++
++static NTSTATUS CDECL key_set_property( struct key *key, const WCHAR *prop, UCHAR *value, ULONG size, ULONG flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_init( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_symmetric_vector_reset( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static NTSTATUS CDECL key_symmetric_set_auth_data( struct key *key, UCHAR *auth_data, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_encrypt( struct key *key, const UCHAR *input, ULONG input_len, UCHAR *output, ULONG output_len  )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_decrypt( struct key *key, const UCHAR *input, ULONG input_len, UCHAR *output, ULONG output_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_get_tag( struct key *key, UCHAR *tag, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_symmetric_destroy( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static NTSTATUS CDECL key_asymmetric_init( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_sign( struct key *key, void *padding, UCHAR *input, ULONG input_len, UCHAR *output,
++                                           ULONG output_len, ULONG *ret_len, ULONG flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_verify( struct key *key, void *padding, UCHAR *hash, ULONG hash_len,
++                                             UCHAR *signature, ULONG signature_len, DWORD flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_export_dsa_capi( struct key *key, UCHAR *buf, ULONG len, ULONG *ret_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_export_ecc( struct key *key, UCHAR *output, ULONG len, ULONG *ret_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_import_dsa_capi( struct key *key, UCHAR *buf, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_import_ecc( struct key *key, UCHAR *input, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_generate( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_duplicate( struct key *key_orig, struct key *key_copy )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_asymmetric_destroy( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static struct key_funcs key_funcs =
++{
++    key_set_property,
++    key_symmetric_init,
++    key_symmetric_vector_reset,
++    key_symmetric_set_auth_data,
++    key_symmetric_encrypt,
++    key_symmetric_decrypt,
++    key_symmetric_get_tag,
++    key_symmetric_destroy,
++    key_asymmetric_init,
++    key_asymmetric_generate,
++    key_asymmetric_duplicate,
++    key_asymmetric_sign,
++    key_asymmetric_verify,
++    key_asymmetric_destroy,
++    key_export_dsa_capi,
++    key_export_ecc,
++    key_import_dsa_capi,
++    key_import_ecc
++};
++
++NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++{
++    struct key_funcs *gnutls_funcs = gnutls_lib_init(reason);
++    struct key_funcs *macos_funcs = macos_lib_init(reason);
++
++    if (reason == DLL_PROCESS_ATTACH)
++    {
++#define RESOLVE_FUNC(name) \
++        if (macos_funcs && macos_funcs->key_##name) \
++            key_funcs.key_##name = macos_funcs->key_##name; \
++        if (gnutls_funcs && gnutls_funcs->key_##name) \
++            key_funcs.key_##name = gnutls_funcs->key_##name;
++
++        RESOLVE_FUNC(set_property)
++        RESOLVE_FUNC(symmetric_init)
++        RESOLVE_FUNC(symmetric_vector_reset)
++        RESOLVE_FUNC(symmetric_set_auth_data)
++        RESOLVE_FUNC(symmetric_encrypt)
++        RESOLVE_FUNC(symmetric_decrypt)
++        RESOLVE_FUNC(symmetric_get_tag)
++        RESOLVE_FUNC(symmetric_destroy)
++        RESOLVE_FUNC(asymmetric_init)
++        RESOLVE_FUNC(asymmetric_generate)
++        RESOLVE_FUNC(asymmetric_duplicate)
++        RESOLVE_FUNC(asymmetric_sign)
++        RESOLVE_FUNC(asymmetric_verify)
++        RESOLVE_FUNC(asymmetric_destroy)
++        RESOLVE_FUNC(export_dsa_capi)
++        RESOLVE_FUNC(export_ecc)
++        RESOLVE_FUNC(import_dsa_capi)
++        RESOLVE_FUNC(import_ecc)
++
++#undef RESOLVE_FUNC
++
++        *(struct key_funcs **)ptr_out = &key_funcs;
++    }
++
++    return STATUS_SUCCESS;
++}
++
++#endif
+-- 
+2.28.0
+

patches/bcrypt-ECDHSecretAgreement/0003-bcrypt-Implement-BCRYPT_KDF_HASH.patch

@@ -1,4 +1,4 @@
-From d232882c571a14f4da8a134071a2125805ebd41f Mon Sep 17 00:00:00 2001
+From 01530fae68970b0c0af8811c5f6c5ea85c14372c Mon Sep 17 00:00:00 2001
 From: Derek Lesho <dlesho@codeweavers.com>
 Date: Tue, 7 Jan 2020 14:22:49 -0600
 Subject: [PATCH] bcrypt: Implement BCRYPT_KDF_HASH.
@@ -7,21 +7,21 @@ Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=47699
 Signed-off-by: Derek Lesho <dlesho at codeweavers.com>
 ---
  dlls/bcrypt/bcrypt_main.c  | 108 ++++++++++++++++++++++++++++++++++++-
- dlls/bcrypt/tests/bcrypt.c |   2 +-
- 2 files changed, 108 insertions(+), 2 deletions(-)
+ dlls/bcrypt/tests/bcrypt.c |   3 +-
+ 2 files changed, 108 insertions(+), 3 deletions(-)
 
 diff --git a/dlls/bcrypt/bcrypt_main.c b/dlls/bcrypt/bcrypt_main.c
-index 65c28ca63e2..6e7b52e93b0 100644
+index 8dae41a2e2e..67be417aa61 100644
 --- a/dlls/bcrypt/bcrypt_main.c
 +++ b/dlls/bcrypt/bcrypt_main.c
-@@ -1891,7 +1891,113 @@ NTSTATUS WINAPI BCryptDeriveKey(BCRYPT_SECRET_HANDLE handle, LPCWSTR kdf, BCrypt
+@@ -1837,7 +1837,113 @@ NTSTATUS WINAPI BCryptDeriveKey(BCRYPT_SECRET_HANDLE handle, LPCWSTR kdf, BCrypt
      if (!secret || secret->hdr.magic != MAGIC_SECRET) return STATUS_INVALID_HANDLE;
      if (!kdf) return STATUS_INVALID_PARAMETER;
  
--    if (!(strcmpW( kdf, BCRYPT_KDF_RAW_SECRET )))
+-    if (!(lstrcmpW( kdf, BCRYPT_KDF_RAW_SECRET )))
 +    if (flags) FIXME("flags ignored: %08x\n", flags);
 +
-+    if (!(strcmpW( kdf, BCRYPT_KDF_HASH )))
++    if (!(lstrcmpW( kdf, BCRYPT_KDF_HASH )))
 +    {
 +        unsigned int i;
 +        BCryptBuffer *hash_algorithm = NULL;
@@ -67,7 +67,7 @@ index 65c28ca63e2..6e7b52e93b0 100644
 +        {
 +            for (i = 0; i < ARRAY_SIZE( builtin_algorithms ); i++)
 +            {
-+                if (!strcmpW( hash_algorithm->pvBuffer, builtin_algorithms[i].name))
++                if (!lstrcmpW( hash_algorithm->pvBuffer, builtin_algorithms[i].name))
 +                {
 +                    hash_alg_id = i;
 +                    break;
@@ -125,15 +125,15 @@ index 65c28ca63e2..6e7b52e93b0 100644
 +
 +        return STATUS_SUCCESS;
 +    }
-+    else if (!(strcmpW( kdf, BCRYPT_KDF_RAW_SECRET )))
++    else if (!(lstrcmpW( kdf, BCRYPT_KDF_RAW_SECRET )))
      {
          ULONG n;
          ULONG secret_length = secret->len;
 diff --git a/dlls/bcrypt/tests/bcrypt.c b/dlls/bcrypt/tests/bcrypt.c
-index a351aacf1f5..5333b879817 100644
+index 5701a0a30ce..d4ffb3fe69c 100644
 --- a/dlls/bcrypt/tests/bcrypt.c
 +++ b/dlls/bcrypt/tests/bcrypt.c
-@@ -2085,7 +2085,7 @@ static void test_ECDH(void)
+@@ -2132,7 +2132,7 @@ static void test_ECDH(void)
      raw_secret_end:
  
      status = pBCryptDeriveKey(secret, BCRYPT_KDF_HASH, &hash_params, NULL, 0, &size, 0);
@@ -142,6 +142,14 @@ index a351aacf1f5..5333b879817 100644
  
      if (status != STATUS_SUCCESS)
      {
+@@ -2666,7 +2666,6 @@ static void test_SecretAgreement(void)
+     ok(status == STATUS_INVALID_PARAMETER, "got %08x\n", status);
+ 
+     status = pBCryptDeriveKey(secret, L"HASH", NULL, NULL, 0, &size, 0);
+-    todo_wine
+     ok(status == STATUS_SUCCESS, "got %08x\n", status);
+ 
+     status = pBCryptDestroyHash(secret);
 -- 
-2.27.0
+2.28.0
 

patches/bcrypt-ECDHSecretAgreement/definition

@@ -1,2 +1,5 @@
 Fixes: [47699] Multiple games fail to connect to online services (missing BCryptSecretAgreement / BCryptDeriveKey implementation)
-
+# Needs to be moved to the unix lib, but that's a nontrivial amount of work, and
+# using gcrypt is the wrong way forward (we should expose the missing APIs from
+# gnutls instead).
+#Disabled: true

patches/color-sRGB-profile/0001-winspool-Add-sRGB-color-profile.patch

@@ -0,0 +1,167 @@
+From b037d19858277d7dde0df6cdf4678a55517366af Mon Sep 17 00:00:00 2001
+From: Alex Henrie <alexhenrie24@gmail.com>
+Date: Tue, 22 Sep 2020 22:00:11 -0600
+Subject: [PATCH] winspool: Add sRGB color profile
+
+"This profile is made available by the International Color Consortium,
+and may be copied, distributed, embedded, made, used, and sold without
+restriction. Altered versions of this profile shall have the original
+identification and copyright information removed and shall not be
+misrepresented as the original profile."
+
+See http://www.color.org/srgbprofiles.xalter
+
+Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=37396
+Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
+---
+ .../winspool.drv/sRGB_Color_Space_Profile.icm | Bin 0 -> 3024 bytes
+ dlls/winspool.drv/winspool.rc                 |   3 ++
+ dlls/winspool.drv/wspool.c                    |  38 ++++++++++++++++++
+ dlls/winspool.drv/wspool.h                    |   2 +
+ 4 files changed, 43 insertions(+)
+ create mode 100644 dlls/winspool.drv/sRGB_Color_Space_Profile.icm
+
+diff --git a/dlls/winspool.drv/sRGB_Color_Space_Profile.icm b/dlls/winspool.drv/sRGB_Color_Space_Profile.icm
+new file mode 100644
+index 0000000000000000000000000000000000000000..49afbfef10f22a1832590b68369d2f248ea553b9
+GIT binary patch
+literal 3024
+zcmb`Jc{r5o8^@pboqe;-klom~#=Z=)?<7n1RL0C;EQ4W?v`H$Qlq6e;oU(N2=!6`p
+zq_j9fq0&N*O8IqkN}I~>9j@P{b6vkb&vRYx^M3C8x$pP6pZoda{Q^K51jvAqCy}2f
+z2yl0zhlYjIaZeGKxM&3c7CSY0nf@_DE7pfmuw>n3h<vtUtxuW{AMLJ;(HbZuIuESG
+z{a=#ca8ua;KrYBCI||tx;d+E=QGo%@2zLR1C&&E2f*+WZ$l(A$xPip)i&@Gg`iXKA
+zgo!)=h{zhCC30D*2xlU!5fz`DhH#b0FIbL0E8;XRI~MWxB1}#fa*;fus4sgn(nRs3
+zP*Ds!Ss>yBge}>zEF^|hhw$p<`Vm43NktlHVq|Q#Wc`bi=uVbDr*Q%R@mv7f?y!Y|
+z^kpAf^uhola$__g2b6(2&;bl!0xW?IZ~(5r3;2RS5C%2@Hi!j@Kmam8HrNI7Kmj-i
+zj(`eK4eCGxXa=pI9dv;!;5xVs2Ehmz2NPf#yasdN16Y6{2nSIhDkKM~K$?&~WCAfE
+zJIEDU3k5)7P$U!s@gX6U4ef>spkk;3s(~7yU!e=o73d~31U-Nzp&96J=nIU3$uJF8
+zg0)~nm<c<=-f$qi5sraV;4C;7J^+`&weT6Z4ZZ^3hDYED_%%F_0w@wn2BnH(pqMCU
+zlrJhA6^#<0wxjY<rKnm|GpZBShq{ZJK+U2)qp@fznvQ0mZO|U*AT%4Dg5HiUL|35e
+z(QW8n^j-8MdJg>^L%}Fw^fA^LPfRE#29trw!<1r9Va{W&VMZ|1m=9PiRtBq$wZwX0
+z!?1DKt=K~BF>DL=GIj_%g`LOYaB?_(oGs25$HJxI@^Iz2Gq_8*VcazC6P|=u!JFXS
+z@ZoqqJ_lclZ^U=whw(4)3j_&*Cc&EEOW+W;5Q+$OgigX8!ZcxlC`r^N+7bhaal~E3
+zGGa6F8u1bF9f?FzBUzFBNj%a{QW@zi=>}<%^qDM0)+0NUBgjJX0rF|`W%2{^I|_xO
+zMRA~nQ_?60C=HaWlqZx=VpK5$F;6j$*bcEuu{N<`u{YubaZPbY@lE1c;-%u}#P5jD
+zN)RNpB%CE!65AyzB`!#eNz6-9C5<J0B@-nJB^xDgO1_lBNoh&BN^zuerA|s+m71cW
+zsOnT_Dx12ST1UM`ou*-F+B8pE9Ib%%3vGZlCoLsyCLJuDDP1XjQF=lKC8H(dDU%>m
+zB-1K0D)VKP(kjPQ+*SKmHLn_8^-)$q)<Kpln=jiUJ0kl<jxOga7cX~6u3hf2JX&5)
+z-d{dL{<!=#`B?>;f{g-OAzz_Y;h`d|sHYg9xK;6_V!z_NlCqM!QnFIH(p9BdWf^4$
+z<v8UM<!<E}6{?Dz3Qwg(<&w%Px-{L9o<J|7_tNK76;(Y{g{n2G1F8#Z+G;^+IchCx
+zkJX9lO!a8>67?SSISmyJAB}8{CXI)h1Wl%9tmaY8KFyC>+FBu6d$roNUTVu~dunHC
+zH)%i8q3GD_r0CS@+|$MCGIis1kLeET!FuL;v3iwycl2R>3w@scG5w*{nAKLR`KxPJ
+zk1@y$M@BlMi7{y)W3bjB$DrNdjiH8NxZxqgKEv-u=0*udbw=aHQpR4!ImVsFf1Bu;
+zuuUpW?wL|d-As3wc9_03(>LRq9XGpgPBr&2-)r7u{>{SDLSWHsF=MG=8EIK%ImV<h
+z{g{Q!8&()AC#xM+T~?p1Ev(b5Tdn`HVc5jmG}^peqrHZ^rf$uYt(q;%w#IhCj&2ue
+zcfxMMUe%suUu*x&LEVAlaLVC@qpo9|;~B>{PDV}wr}Iu9ovod>IbU``xwyOJy9~HW
+zxdypbxIS@HbBl3na+`BEci-xM*#qO@?QzIs%u~se?b+Zt=Vj@&&8yd&?7iN*!u#1;
+zy|se1oj$OSm(O9JN9#1#@z=Hc0$)$x!@iIGwEa^2e)q@v`}tS;KMybt$PVaRPhG!x
+zedGEMflh%%f#X3sLBgP(VDaFH;D+FjAub`sArqm7q1!@lhslTW!aBln;lbgj!sj=*
+zZaA`GI>J06FJg3~_QuSOH#f;|O4xL9v-oD#=5vvl$dJg!$geD4RxN8j$}_4eYL4y9
+zKFWU0ap072X1KQ8V(yD*+vwuxmoc_6hht`9?PE)0XL-)N3f|i|kGSf%kMX|or{fnB
+zLK0dM@rjX%7x+^Acz$n^a#Ci}P_lk<Uh+hWb;^;HIf1v}R4SCZF|{L&hWtqSg*w7L
+z!pU^I^vd*48NnInG9@$lnf+Vzw(Q^XBFio7=dI|i?5#c7s@c1;C$~9ntJw~1kJ{d|
+zLw!f?j_IB5JL`85cg64eBgZJGIOqNDklmfRO1V38r}nt-Y04AJ6XcEUwb@&}5514K
+zZ(zUa{__3b^Evsq3XBR$3%(Yz3vc~o{8QOaiwB|)3=~-u9Y2UY$UiuG$o^1$v1D;p
+z@zi0T!)+z>lKhhQM>Ze1S!z~VeUx}qcyyv{ZCOXTM)|?=uNAQsBb82-EmewD`>Q@4
+z;~X14?r^-hTB*9A`pXI4iTgF~HEp$8wWTMqC(}<puM4j0`<eN3!zuYw1*g89=AWLZ
+z52){Luxw~(RBSA2f}4a*GiM^s4F2NsOGh)Kxu!*?rQj?$D?Iz^*T`Q-TfJL*&N0t5
+z|EBp{)p_dq{5Gg<OWRy~Z2Lq<SjW%>uM0h$Hl62xH~9T@mugq#Md^!0-Nf$P?!`-4
+zm*y`gU!J`Zb7iV$bI<tI(5v@){d)(ld0)G6-R=6-KF7XGH*9Zo-L$@W;TH2&`)!Nc
+zZT;r`=l?MO<NScdK-(S5I~{{ogPlWbhPsFChp*gqxqJPd=e^q_>qdq~gGTR<MT||{
+z=iGn!AmPE=hv^R&#&<r#Jj#D8@woJf;*;8^x=&jsEG8~ax=i*zTmNi)iaquE&(uG^
+zPUk+SJTHBr@}l9T$;+-8x0%6L8(vMnPJX>GoA)2d|5UxvdGp&}4uAE}h0aaC6}(;i
+zyYQXdyVLK@-uKM=%|H2&_+jB={wKLl^`Dua`@V#Hd9jf375BC5o9?&H@7~`ZEha85
+z{-8k&JYAjX7RFW<77P=HG2Mk5%@QW0(M8J6IVmAYD4?%TX0f?+23;gpmIcJWHm~TE
+zsB!?>_W&UKaK(pgBT{F`Sk`1q_=ApIvi~>1Kja-poFc8Ycg2@f3jlK-0Mx-$UJPB7
+z<Qx!4|Dg|z0B$r_z~v)H4d!t(c>EaT{Co~CjhDoy^Z4|Cv`LizZ;q8ZSF~{&Hxtp1
+zNS#T^TLiqA*fhE)KaDHkvqTlK5|(a9AgVDnNsz`9Ca$I<O41yF)M!(arP?5}3nKHL
+eE-t>)0svP6z_+5s#f6&1#cxP2P~!kx7XBBF2+<<|
+
+literal 0
+HcmV?d00001
+
+diff --git a/dlls/winspool.drv/winspool.rc b/dlls/winspool.drv/winspool.rc
+index 50772ce60bb..1b573be096e 100644
+--- a/dlls/winspool.drv/winspool.rc
++++ b/dlls/winspool.drv/winspool.rc
+@@ -47,6 +47,9 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
+ /* @makedep: generic.ppd */
+ 1 PPDFILE generic.ppd
+ 
++/* @makedep: sRGB_Color_Space_Profile.icm */
++IDR_SRGB_ICM RCDATA sRGB_Color_Space_Profile.icm
++
+ #define WINE_FILENAME_STR "winspool.drv"
+ #define WINE_FILEDESCRIPTION_STR "Wine core printer driver"
+ 
+diff --git a/dlls/winspool.drv/wspool.c b/dlls/winspool.drv/wspool.c
+index bbfb0fb0f42..baa7bfdb455 100644
+--- a/dlls/winspool.drv/wspool.c
++++ b/dlls/winspool.drv/wspool.c
+@@ -104,6 +104,43 @@ BOOL load_backend(void)
+     return FALSE;
+ }
+ 
++static void create_color_profiles(void)
++{
++    static const WCHAR color_dir[] = {'\\','s','p','o','o','l',
++                                      '\\','d','r','i','v','e','r','s',
++                                      '\\','c','o','l','o','r','\\',0};
++    static const WCHAR srgb_icm[] = {'s','R','G','B',' ',
++                                     'C','o','l','o','r',' ',
++                                     'S','p','a','c','e',' ',
++                                     'P','r','o','f','i','l','e','.','i','c','m',0};
++    WCHAR profile_path[MAX_PATH];
++    HANDLE file;
++    HRSRC res;
++    DWORD size, written;
++    char *data;
++    BOOL ret;
++
++    GetSystemDirectoryW(profile_path, ARRAY_SIZE(profile_path));
++    lstrcatW(profile_path, color_dir);
++    lstrcatW(profile_path, srgb_icm);
++
++    file = CreateFileW(profile_path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
++    if (file == INVALID_HANDLE_VALUE)
++        return;
++
++    ret = ((res = FindResourceA(WINSPOOL_hInstance, MAKEINTRESOURCEA(IDR_SRGB_ICM), (const char *)RT_RCDATA)) &&
++           (size = SizeofResource(WINSPOOL_hInstance, res)) &&
++           (data = LoadResource(WINSPOOL_hInstance, res)) &&
++           WriteFile(file, data, size, &written, NULL) &&
++           written == size);
++    CloseHandle(file);
++    if (!ret)
++    {
++        ERR("Failed to create %s\n", wine_dbgstr_w(profile_path));
++        DeleteFileW(profile_path);
++    }
++}
++
+ /******************************************************************************
+  *  DllMain
+  *
+@@ -118,6 +155,7 @@ BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD reason, LPVOID lpReserved)
+       WINSPOOL_hInstance = hInstance;
+       DisableThreadLibraryCalls(hInstance);
+       WINSPOOL_LoadSystemPrinters();
++      create_color_profiles();
+       break;
+     }
+     case DLL_PROCESS_DETACH:
+diff --git a/dlls/winspool.drv/wspool.h b/dlls/winspool.drv/wspool.h
+index 06c28231330..a229b1ffe88 100644
+--- a/dlls/winspool.drv/wspool.h
++++ b/dlls/winspool.drv/wspool.h
+@@ -33,5 +33,7 @@ extern void WINSPOOL_LoadSystemPrinters(void) DECLSPEC_HIDDEN;
+ #define IDS_FILE_EXISTS   11
+ #define IDS_CANNOT_OPEN   12
+ 
++#define IDR_SRGB_ICM       2
++
+ #define FILENAME_DIALOG  100
+ #define EDITBOX 201
+-- 
+2.28.0
+

patches/color-sRGB-profile/definition

@@ -0,0 +1 @@
+Fixes: [37396] Add sRGB color profile.

patches/configure-Absolute_RPATH/0001-configure-Also-add-the-absolute-RPATH-when-linking-a.patch

@@ -1,30 +0,0 @@
-From 38d4fa059ffd4ecba4e7d04e2a5edd2bcff3c7df Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Wed, 27 Aug 2014 00:31:23 +0200
-Subject: [PATCH] configure: Also add the absolute RPATH when linking against
- libwine.
-
----
- configure.ac | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index c88013910af..a7f1866bf0d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -969,10 +969,10 @@ case $host_os in
-       WINEPRELOADER_LDFLAGS="-static -nostartfiles -nodefaultlibs -Wl,-Ttext=0x7d400000"
- 
-       WINE_TRY_CFLAGS([-Wl,--rpath,\$ORIGIN/../lib],
--                      [LDRPATH_INSTALL="-Wl,--rpath,\\\$\$ORIGIN/\`\$(MAKEDEP) -R \${bindir} \${libdir}\`"
-+                      [LDRPATH_INSTALL="-Wl,--rpath,\\\$\$ORIGIN/\`\$(MAKEDEP) -R \${bindir} \${libdir}\`:\$(DESTDIR)\${libdir}"
-                        LDRPATH_LOCAL="-Wl,--rpath,\\\$\$ORIGIN/\$(top_builddir)/libs/wine"],
-           [WINE_TRY_CFLAGS([-Wl,-R,\$ORIGIN/../lib],
--                           [LDRPATH_INSTALL="-Wl,-R,\\\$\$ORIGIN/\`\$(MAKEDEP) -R \${bindir} \${libdir}\`"
-+                           [LDRPATH_INSTALL="-Wl,-R,\\\$\$ORIGIN/\`\$(MAKEDEP) -R \${bindir} \${libdir}\`:\$(DESTDIR)\${libdir}"
-                             LDRPATH_LOCAL="-Wl,-R,\\\$\$ORIGIN/\$(top_builddir)/libs/wine"])])
- 
-       WINE_TRY_CFLAGS([-Wl,--enable-new-dtags],
--- 
-2.27.0
-