Release v6.5

This was fixed upstream at some point.

.github/workflows/macOS.yml

@@ -0,0 +1,128 @@
+name: MacOS
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+  workflow_dispatch:
+
+jobs:
+  wine-staging:
+    runs-on:  macos-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: |
+          brew install --cask xquartz
+          brew install  bison \
+                        faudio \
+                        gphoto2 \
+                        gst-plugins-base \
+                        little-cms2 \
+                        mingw-w64 \
+                        molten-vk \
+                        mpg123
+
+      - name: Add bison & krb5 to $PATH
+        run: |
+          set -eu
+          echo "$(brew --prefix bison)/bin" >> $GITHUB_PATH
+          echo "$(brew --prefix krb5)/bin" >> $GITHUB_PATH
+
+      - name: Get upstream-commit
+        run: |
+          mkdir $GITHUB_WORKSPACE/wine
+          cd wine
+          git init
+          git fetch git://source.winehq.org/git/wine.git $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit) --depth=1
+          git checkout $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit)
+
+      - name: Run patchinstall.sh --all
+        run: |
+          $GITHUB_WORKSPACE/patches/patchinstall.sh DESTDIR=$GITHUB_WORKSPACE/wine --all
+
+      - name: Configure wine64
+        env:
+          LDFLAGS: "-Wl,-rpath,/opt/X11/lib"
+          # Avoid weird linker errors with Xcode 10 and later
+          MACOSX_DEPLOYMENT_TARGET: "10.14"
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          ./configure   --enable-win64 \
+                        --without-alsa \
+                        --without-capi \
+                        --without-dbus \
+                        --without-inotify \
+                        --without-oss \
+                        --without-pulse \
+                        --without-udev \
+                        --without-v4l2 \
+                        --x-include=/opt/X11/include \
+                        --x-lib=/opt/X11/lib
+
+      - name: Build wine64
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          make -j$(sysctl -n hw.ncpu 2>/dev/null)
+
+  wine-devel:
+    runs-on:  macos-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install dependencies
+        run: |
+          brew install --cask xquartz
+          brew install  bison \
+                        faudio \
+                        gphoto2 \
+                        gst-plugins-base \
+                        little-cms2 \
+                        mingw-w64 \
+                        molten-vk \
+                        mpg123
+
+      - name: Add bison & krb5 to $PATH
+        run: |
+          set -eu
+          echo "$(brew --prefix bison)/bin" >> $GITHUB_PATH
+          echo "$(brew --prefix krb5)/bin" >> $GITHUB_PATH
+
+      - name: Get upstream-commit
+        run: |
+          mkdir $GITHUB_WORKSPACE/wine
+          cd wine
+          git init
+          git fetch git://source.winehq.org/git/wine.git $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit) --depth=1
+          git checkout $($GITHUB_WORKSPACE/patches/patchinstall.sh --upstream-commit)
+
+      - name: Configure wine64
+        env:
+          LDFLAGS: "-Wl,-rpath,/opt/X11/lib"
+          # Avoid weird linker errors with Xcode 10 and later
+          MACOSX_DEPLOYMENT_TARGET: "10.14"
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+
+          cd $GITHUB_WORKSPACE/wine
+          ./configure   --enable-win64 \
+                        --without-alsa \
+                        --without-capi \
+                        --without-dbus \
+                        --without-inotify \
+                        --without-oss \
+                        --without-pulse \
+                        --without-udev \
+                        --without-v4l2 \
+                        --x-include=/opt/X11/include \
+                        --x-lib=/opt/X11/lib
+
+      - name: Build wine64
+        run: |
+          cd $GITHUB_WORKSPACE/wine
+          make -j$(sysctl -n hw.ncpu 2>/dev/null)

patches/Compiler_Warnings/0026-dwrite-Avoid-implicit-cast-of-interface-pointer.patch

@@ -1,4 +1,4 @@
-From 7529755fcc41fda650aac6b27f34438354435d34 Mon Sep 17 00:00:00 2001
+From b51fdc7e211f676d169c937209bf689e57252c5d Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Tue, 22 Mar 2016 21:58:40 +0100
 Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
@@ -9,10 +9,10 @@ Subject: [PATCH] dwrite: Avoid implicit cast of interface pointer.
  2 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/dlls/dwrite/font.c b/dlls/dwrite/font.c
-index 9280b5d32..2f0974a4c 100644
+index aa51c744297..7cad015480f 100644
 --- a/dlls/dwrite/font.c
 +++ b/dlls/dwrite/font.c
-@@ -1887,7 +1887,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
+@@ -2130,7 +2130,7 @@ static struct dwrite_font *unsafe_impl_from_IDWriteFont(IDWriteFont *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontVtbl*)&dwritefontvtbl);
@@ -21,7 +21,7 @@ index 9280b5d32..2f0974a4c 100644
  }
  
  struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
-@@ -1895,7 +1895,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
+@@ -2138,7 +2138,7 @@ struct dwrite_fontface *unsafe_impl_from_IDWriteFontFace(IDWriteFontFace *iface)
      if (!iface)
          return NULL;
      assert(iface->lpVtbl == (IDWriteFontFaceVtbl*)&dwritefontfacevtbl);
@@ -31,10 +31,10 @@ index 9280b5d32..2f0974a4c 100644
  
  static struct dwrite_fontfacereference *unsafe_impl_from_IDWriteFontFaceReference(IDWriteFontFaceReference *iface)
 diff --git a/dlls/dwrite/layout.c b/dlls/dwrite/layout.c
-index b9321157a..76ea23ba6 100644
+index 1f6201a6a93..35791d5c22e 100644
 --- a/dlls/dwrite/layout.c
 +++ b/dlls/dwrite/layout.c
-@@ -5895,7 +5895,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
+@@ -5886,7 +5886,7 @@ static const IDWriteTextFormat3Vtbl dwritetextformatvtbl =
  static struct dwrite_textformat *unsafe_impl_from_IDWriteTextFormat(IDWriteTextFormat *iface)
  {
      return (iface->lpVtbl == (IDWriteTextFormatVtbl*)&dwritetextformatvtbl) ?
@@ -42,7 +42,7 @@ index b9321157a..76ea23ba6 100644
 +        CONTAINING_RECORD((IDWriteTextFormat3 *)iface, struct dwrite_textformat, IDWriteTextFormat3_iface) : NULL;
  }
  
- HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight, DWRITE_FONT_STYLE style,
+ HRESULT create_textformat(const WCHAR *family_name, IDWriteFontCollection *collection, DWRITE_FONT_WEIGHT weight,
 -- 
-2.24.0
+2.29.2
 

patches/Staging/0001-kernel32-Add-winediag-message-to-show-warning-that-t.patch

@@ -1,4 +1,4 @@
-From 700513f28e4844cbfc40b3ebf1b77cf121b71e71 Mon Sep 17 00:00:00 2001
+From 0cf6433af95363c5fbba2af482b2ba50b863dfb7 Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:44:31 +0200
 Subject: [PATCH] ntdll: Print a warning message specifying the wine-staging
@@ -9,7 +9,7 @@ Subject: [PATCH] ntdll: Print a warning message specifying the wine-staging
  1 file changed, 15 insertions(+)
 
 diff --git a/dlls/ntdll/loader.c b/dlls/ntdll/loader.c
-index 587c87bbfc0..05b40326d82 100644
+index 20bc3f977d1..c2187a19397 100644
 --- a/dlls/ntdll/loader.c
 +++ b/dlls/ntdll/loader.c
 @@ -44,6 +44,7 @@ WINE_DECLARE_DEBUG_CHANNEL(relay);
@@ -20,7 +20,7 @@ index 587c87bbfc0..05b40326d82 100644
  
  #ifdef _WIN64
  #define DEFAULT_SECURITY_COOKIE_64  (((ULONGLONG)0x00002b99 << 32) | 0x2ddfa232)
-@@ -3487,6 +3488,7 @@ static void process_breakpoint(void)
+@@ -3456,6 +3457,7 @@ static void process_breakpoint(void)
      __ENDTRY
  }
  
@@ -28,17 +28,17 @@ index 587c87bbfc0..05b40326d82 100644
  
  /******************************************************************
   *		LdrInitializeThunk (NTDLL.@)
-@@ -3497,6 +3499,9 @@ static void process_breakpoint(void)
+@@ -3465,6 +3467,9 @@ static void process_breakpoint(void)
+  */
  void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR unknown3, ULONG_PTR unknown4 )
  {
-     static const unsigned int fls_slot_count = 8 * sizeof(NtCurrentTeb()->Peb->FlsBitmapBits);
 +    OBJECT_ATTRIBUTES staging_event_attr;
 +    UNICODE_STRING staging_event_string;
 +    HANDLE staging_event;
      static int attach_done;
      int i;
      NTSTATUS status;
-@@ -3515,6 +3520,16 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR
+@@ -3483,6 +3488,16 @@ void WINAPI LdrInitializeThunk( CONTEXT *context, ULONG_PTR unknown2, ULONG_PTR
      entry = (void **)&context->u.s.X0;
  #endif
  

patches/Staging/0002-winelib-Append-Staging-at-the-end-of-the-version-s.patch

@@ -1,25 +1,25 @@
-From b1bbc311c1e2dec72e04be9c668b6072d11b04fb Mon Sep 17 00:00:00 2001
+From cfcc687562d4fa68b507cbf2c29722ef523d26aa Mon Sep 17 00:00:00 2001
 From: Sebastian Lackner <sebastian@fds-team.de>
 Date: Thu, 2 Oct 2014 19:53:46 +0200
 Subject: [PATCH] winelib: Append '(Staging)' at the end of the version string.
 
 ---
- dlls/ntdll/Makefile.in | 2 +-
+ Makefile.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/dlls/ntdll/Makefile.in b/dlls/ntdll/Makefile.in
-index a553536d4c7..71e3df13b66 100644
---- a/dlls/ntdll/Makefile.in
-+++ b/dlls/ntdll/Makefile.in
-@@ -81,7 +81,7 @@ unix_loader_EXTRADEFS = \
- 	-DBIN_TO_DATADIR=\"`${MAKEDEP} -R ${bindir} ${datadir}/wine`\"
+diff --git a/Makefile.in b/Makefile.in
+index b52495f741f..d5a8cad20da 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -116,7 +116,7 @@ install-manpages:: manpages
+ # Rules for generated source files
  
- unix/version.c: dummy
--	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
-+	version=`(GIT_DIR=$(top_srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
+ dlls/ntdll/unix/version.c: dummy
+-	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || ($(RM) $@ && exit 1)
++	@version=`(GIT_DIR=$(srcdir)/.git git describe HEAD 2>/dev/null || echo "wine-$(PACKAGE_VERSION)") | sed -n -e '$$s/\(.*\)/const char wine_build[] = "\1 (Staging)";/p'` && (echo $$version | cmp -s - $@) || echo $$version >$@ || (rm -f $@ && exit 1)
  
- dummy:
- .PHONY: dummy
+ programs/winetest/build.rc: dummy
+ 	@build="STRINGTABLE { 1 \"`GIT_DIR=$(srcdir)/.git git rev-parse HEAD 2>/dev/null`\" }" && (echo $$build | cmp -s - $@) || echo $$build >$@ || (rm -f $@ && exit 1)
 -- 
-2.28.0
+2.20.1
 

patches/Staging/definition

@@ -1 +0,0 @@
-Depends: ntdll-FLS_Callbacks

patches/advapi32-CreateRestrictedToken/0001-ntdll-Implement-NtFilterToken.patch

@@ -1,334 +0,0 @@
-From 1b222275e7faf71ae1e5c94e297004055ec6f82f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:33:14 +0200
-Subject: [PATCH] ntdll: Implement NtFilterToken.
-
----
- dlls/ntdll/ntdll.spec      |  2 +-
- dlls/ntdll/unix/security.c | 64 +++++++++++++++++++++++++++++
- include/winnt.h            |  5 +++
- include/winternl.h         |  1 +
- server/named_pipe.c        |  2 +-
- server/process.c           |  2 +-
- server/protocol.def        | 10 +++++
- server/security.h          |  4 +-
- server/token.c             | 84 +++++++++++++++++++++++++++++++++++++-
- 9 files changed, 168 insertions(+), 6 deletions(-)
-
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index a3bc57716da..f604c8a3c35 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -208,7 +208,7 @@
- # @ stub NtEnumerateSystemEnvironmentValuesEx
- @ stdcall -syscall NtEnumerateValueKey(long long long ptr long ptr)
- @ stub NtExtendSection
--# @ stub NtFilterToken
-+@ stdcall -syscall NtFilterToken(long long ptr ptr ptr ptr)
- @ stdcall -syscall NtFindAtom(ptr long ptr)
- @ stdcall -syscall NtFlushBuffersFile(long ptr)
- @ stdcall -syscall NtFlushInstructionCache(long ptr long)
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index daecc5e0591..d063d43d6d4 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -604,6 +604,70 @@ NTSTATUS WINAPI NtAdjustPrivilegesToken( HANDLE token, BOOLEAN disable, TOKEN_PR
- }
- 
- 
-+/***********************************************************************
-+ *             NtFilterToken  (NTDLL.@)
-+ */
-+NTSTATUS WINAPI NtFilterToken( HANDLE token, ULONG flags, TOKEN_GROUPS *disable_sids,
-+                               TOKEN_PRIVILEGES *privileges, TOKEN_GROUPS *restrict_sids,
-+                               HANDLE *new_token )
-+{
-+    data_size_t privileges_len = 0;
-+    data_size_t sids_len = 0;
-+    SID *sids = NULL;
-+    NTSTATUS status;
-+
-+    TRACE( "(%p, 0x%08x, %p, %p, %p, %p)\n", token, flags, disable_sids, privileges,
-+           restrict_sids, new_token );
-+
-+    if (flags)
-+        FIXME( "flags %x unsupported\n", flags );
-+
-+    if (restrict_sids)
-+        FIXME( "support for restricting sids not yet implemented\n" );
-+
-+    if (privileges)
-+        privileges_len = privileges->PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES);
-+
-+    if (disable_sids)
-+    {
-+        DWORD len, i;
-+        BYTE *tmp;
-+
-+        for (i = 0; i < disable_sids->GroupCount; i++)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            sids_len += offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+        }
-+
-+        sids = malloc( sids_len );
-+        if (!sids) return STATUS_NO_MEMORY;
-+
-+        for (i = 0, tmp = (BYTE *)sids; i < disable_sids->GroupCount; i++, tmp += len)
-+        {
-+            SID *sid = disable_sids->Groups[i].Sid;
-+            len = offsetof( SID, SubAuthority[sid->SubAuthorityCount] );
-+            memcpy( tmp, disable_sids->Groups[i].Sid, len );
-+        }
-+    }
-+
-+    SERVER_START_REQ( filter_token )
-+    {
-+        req->handle          = wine_server_obj_handle( token );
-+        req->flags           = flags;
-+        req->privileges_size = privileges_len;
-+        wine_server_add_data( req, privileges->Privileges, privileges_len );
-+        wine_server_add_data( req, sids, sids_len );
-+        status = wine_server_call( req );
-+        if (!status) *new_token = wine_server_ptr_handle( reply->new_handle );
-+    }
-+    SERVER_END_REQ;
-+
-+    free( sids );
-+    return status;
-+}
-+
-+
-+
- /***********************************************************************
-  *             NtPrivilegeCheck  (NTDLL.@)
-  */
-diff --git a/include/winnt.h b/include/winnt.h
-index e1cf78420a6..da17fe3e330 100644
---- a/include/winnt.h
-+++ b/include/winnt.h
-@@ -4221,6 +4221,11 @@ typedef enum _TOKEN_INFORMATION_CLASS {
- 					TOKEN_ADJUST_SESSIONID | \
- 					TOKEN_ADJUST_DEFAULT )
- 
-+#define DISABLE_MAX_PRIVILEGE 0x1
-+#define SANDBOX_INERT         0x2
-+#define LUA_TOKEN             0x4
-+#define WRITE_RESTRICTED      0x8
-+
- #ifndef _SECURITY_DEFINED
- #define _SECURITY_DEFINED
- 
-diff --git a/include/winternl.h b/include/winternl.h
-index b3fbb90feff..4687a410ca4 100644
---- a/include/winternl.h
-+++ b/include/winternl.h
-@@ -2749,6 +2749,7 @@ NTSYSAPI NTSTATUS  WINAPI NtDuplicateToken(HANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateKey(HANDLE,ULONG,KEY_INFORMATION_CLASS,void *,DWORD,DWORD *);
- NTSYSAPI NTSTATUS  WINAPI NtEnumerateValueKey(HANDLE,ULONG,KEY_VALUE_INFORMATION_CLASS,PVOID,ULONG,PULONG);
- NTSYSAPI NTSTATUS  WINAPI NtExtendSection(HANDLE,PLARGE_INTEGER);
-+NTSYSAPI NTSTATUS  WINAPI NtFilterToken(HANDLE,ULONG,TOKEN_GROUPS*,TOKEN_PRIVILEGES*,TOKEN_GROUPS*,HANDLE*);
- NTSYSAPI NTSTATUS  WINAPI NtFindAtom(const WCHAR*,ULONG,RTL_ATOM*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushBuffersFile(HANDLE,IO_STATUS_BLOCK*);
- NTSYSAPI NTSTATUS  WINAPI NtFlushInstructionCache(HANDLE,LPCVOID,SIZE_T);
-diff --git a/server/named_pipe.c b/server/named_pipe.c
-index b259abb8de4..4cd4d7dc4a8 100644
---- a/server/named_pipe.c
-+++ b/server/named_pipe.c
-@@ -1142,7 +1142,7 @@ static int pipe_server_ioctl( struct fd *fd, ioctl_code_t code, struct async *as
-         if (current->process->token) /* FIXME: use the client token */
-         {
-             struct token *token;
--            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL )))
-+            if (!(token = token_duplicate( current->process->token, 0, SecurityImpersonation, NULL, NULL, 0, NULL, 0 )))
-                 return 0;
-             if (current->token) release_object( current->token );
-             current->token = token;
-diff --git a/server/process.c b/server/process.c
-index 5e587b28cbe..406167e825b 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -577,7 +577,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL );
-+        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-diff --git a/server/protocol.def b/server/protocol.def
-index a121c371c19..ee07b1eca14 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3263,6 +3263,16 @@ enum caret_state
-     obj_handle_t  new_handle; /* duplicated handle */
- @END
- 
-+@REQ(filter_token)
-+    obj_handle_t  handle;          /* handle to the token to duplicate */
-+    unsigned int  flags;           /* flags */
-+    data_size_t   privileges_size; /* size of privileges */
-+    VARARG(privileges,LUID_AND_ATTRIBUTES,privileges_size); /* privileges to remove from new token */
-+    VARARG(disable_sids,SID);      /* array of groups to remove from new token */
-+@REPLY
-+    obj_handle_t  new_handle;      /* filtered handle */
-+@END
-+
- @REQ(access_check)
-     obj_handle_t    handle; /* handle to the token */
-     unsigned int    desired_access; /* desired access to the object */
-diff --git a/server/security.h b/server/security.h
-index 606dbb2ab2c..6c337143c3d 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -56,7 +56,9 @@ extern const PSID security_high_label_sid;
- extern struct token *token_create_admin(void);
- extern int token_assign_label( struct token *token, PSID label );
- extern struct token *token_duplicate( struct token *src_token, unsigned primary,
--                                      int impersonation_level, const struct security_descriptor *sd );
-+                                      int impersonation_level, const struct security_descriptor *sd,
-+                                      const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                                      const SID *filter_groups, unsigned int group_count );
- extern int token_check_privileges( struct token *token, int all_required,
-                                    const LUID_AND_ATTRIBUTES *reqprivs,
-                                    unsigned int count, LUID_AND_ATTRIBUTES *usedprivs);
-diff --git a/server/token.c b/server/token.c
-index 2fa95e17aaf..38a4c203d54 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -285,6 +285,19 @@ static int acl_is_valid( const ACL *acl, data_size_t size )
-     return TRUE;
- }
- 
-+static unsigned int get_sid_count( const SID *sid, data_size_t size )
-+{
-+    unsigned int count;
-+
-+    for (count = 0; size >= sizeof(SID) && security_sid_len( sid ) <= size; count++)
-+    {
-+        size -= security_sid_len( sid );
-+        sid = (const SID *)((char *)sid + security_sid_len( sid ));
-+    }
-+
-+    return count;
-+}
-+
- /* checks whether all members of a security descriptor fit inside the size
-  * of memory specified */
- int sd_is_valid( const struct security_descriptor *sd, data_size_t size )
-@@ -626,8 +639,36 @@ static struct token *create_token( unsigned primary, const SID *user,
-     return token;
- }
- 
-+static int filter_group( struct group *group, const SID *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (security_equal_sid( &group->sid, filter )) return 1;
-+        filter = (const SID *)((char *)filter + security_sid_len( filter ));
-+    }
-+
-+    return 0;
-+}
-+
-+static int filter_privilege( struct privilege *privilege, const LUID_AND_ATTRIBUTES *filter, unsigned int count )
-+{
-+    unsigned int i;
-+
-+    for (i = 0; i < count; i++)
-+    {
-+        if (!memcmp( &privilege->luid, &filter[i].Luid, sizeof(LUID) ))
-+            return 1;
-+    }
-+
-+    return 0;
-+}
-+
- struct token *token_duplicate( struct token *src_token, unsigned primary,
--                               int impersonation_level, const struct security_descriptor *sd )
-+                               int impersonation_level, const struct security_descriptor *sd,
-+                               const LUID_AND_ATTRIBUTES *filter_privileges, unsigned int priv_count,
-+                               const SID *filter_groups, unsigned int group_count)
- {
-     const luid_t *modified_id =
-         primary || (impersonation_level == src_token->impersonation_level) ?
-@@ -663,6 +704,12 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-             return NULL;
-         }
-         memcpy( newgroup, group, size );
-+        if (filter_group( group, filter_groups, group_count ))
-+        {
-+            newgroup->enabled = 0;
-+            newgroup->def = 0;
-+            newgroup->deny_only = 1;
-+        }
-         list_add_tail( &token->groups, &newgroup->entry );
-         if (src_token->primary_group == &group->sid)
-         {
-@@ -674,11 +721,14 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
- 
-     /* copy privileges */
-     LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
-+    {
-+        if (filter_privilege( privilege, filter_privileges, priv_count )) continue;
-         if (!privilege_add( token, &privilege->luid, privilege->enabled ))
-         {
-             release_object( token );
-             return NULL;
-         }
-+    }
- 
-     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
-                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
-@@ -1311,7 +1361,7 @@ DECL_HANDLER(duplicate_token)
-                                                      TOKEN_DUPLICATE,
-                                                      &token_ops )))
-     {
--        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd );
-+        struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
-             reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-@@ -1321,6 +1371,36 @@ DECL_HANDLER(duplicate_token)
-     }
- }
- 
-+/* creates a restricted version of a token */
-+DECL_HANDLER(filter_token)
-+{
-+    struct token *src_token;
-+
-+    if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                     TOKEN_DUPLICATE,
-+                                                     &token_ops )))
-+    {
-+        const LUID_AND_ATTRIBUTES *filter_privileges = get_req_data();
-+        unsigned int priv_count, group_count;
-+        const SID *filter_groups;
-+        struct token *token;
-+
-+        priv_count = min( req->privileges_size, get_req_data_size() ) / sizeof(LUID_AND_ATTRIBUTES);
-+        filter_groups = (const SID *)((char *)filter_privileges + priv_count * sizeof(LUID_AND_ATTRIBUTES));
-+        group_count = get_sid_count( filter_groups, get_req_data_size() - priv_count * sizeof(LUID_AND_ATTRIBUTES) );
-+
-+        token = token_duplicate( src_token, src_token->primary, src_token->impersonation_level, NULL,
-+                                 filter_privileges, priv_count, filter_groups, group_count );
-+        if (token)
-+        {
-+            unsigned int access = get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, 0 );
-+            release_object( token );
-+        }
-+        release_object( src_token );
-+    }
-+}
-+
- /* checks the specified privileges are held by the token */
- DECL_HANDLER(check_token_privileges)
- {
--- 
-2.27.0
-

patches/advapi32-CreateRestrictedToken/0002-advapi32-Implement-CreateRestrictedToken.patch

@@ -1,132 +0,0 @@
-From 3c1f5962482e7acf531f57f49d923d9c4e5278b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Fri, 4 Aug 2017 02:51:57 +0200
-Subject: [PATCH] advapi32: Implement CreateRestrictedToken.
-
----
- dlls/kernelbase/security.c | 103 ++++++++++++++++++++++++++++++-------
- 1 file changed, 84 insertions(+), 19 deletions(-)
-
-diff --git a/dlls/kernelbase/security.c b/dlls/kernelbase/security.c
-index 2e75e81ed77..97f6ee6a2fd 100644
---- a/dlls/kernelbase/security.c
-+++ b/dlls/kernelbase/security.c
-@@ -592,31 +592,96 @@ exit:
-     return ret;
- }
- 
-+static BOOL allocate_groups(TOKEN_GROUPS **groups_ret, SID_AND_ATTRIBUTES *sids, DWORD count)
-+{
-+    TOKEN_GROUPS *groups;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *groups_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    groups = (TOKEN_GROUPS *)heap_alloc(FIELD_OFFSET(TOKEN_GROUPS, Groups) +
-+                                        count * sizeof(SID_AND_ATTRIBUTES));
-+    if (!groups)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    groups->GroupCount = count;
-+    for (i = 0; i < count; i++)
-+        groups->Groups[i] = sids[i];
-+
-+    *groups_ret = groups;
-+    return TRUE;
-+}
-+
-+static BOOL allocate_privileges(TOKEN_PRIVILEGES **privileges_ret, LUID_AND_ATTRIBUTES *privs, DWORD count)
-+{
-+    TOKEN_PRIVILEGES *privileges;
-+    DWORD i;
-+
-+    if (!count)
-+    {
-+        *privileges_ret = NULL;
-+        return TRUE;
-+    }
-+
-+    privileges = (TOKEN_PRIVILEGES *)heap_alloc(FIELD_OFFSET(TOKEN_PRIVILEGES, Privileges) +
-+                                                count * sizeof(LUID_AND_ATTRIBUTES));
-+    if (!privileges)
-+    {
-+        SetLastError(ERROR_OUTOFMEMORY);
-+        return FALSE;
-+    }
-+
-+    privileges->PrivilegeCount = count;
-+    for (i = 0; i < count; i++)
-+        privileges->Privileges[i] = privs[i];
-+
-+    *privileges_ret = privileges;
-+    return TRUE;
-+}
-+
- /*************************************************************************
-  * CreateRestrictedToken    (kernelbase.@)
-  */
--BOOL WINAPI CreateRestrictedToken( HANDLE token, DWORD flags,
--                                   DWORD disable_count, PSID_AND_ATTRIBUTES disable_sids,
--                                   DWORD delete_count, PLUID_AND_ATTRIBUTES delete_privs,
--                                   DWORD restrict_count, PSID_AND_ATTRIBUTES restrict_sids, PHANDLE ret )
-+BOOL WINAPI CreateRestrictedToken( HANDLE baseToken, DWORD flags,
-+                                   DWORD nDisableSids, PSID_AND_ATTRIBUTES disableSids,
-+                                   DWORD nDeletePrivs, PLUID_AND_ATTRIBUTES deletePrivs,
-+                                   DWORD nRestrictSids, PSID_AND_ATTRIBUTES restrictSids, PHANDLE newToken )
- {
--    TOKEN_TYPE type;
--    SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
--    DWORD size;
-+    TOKEN_PRIVILEGES *delete_privs = NULL;
-+    TOKEN_GROUPS *disable_groups = NULL;
-+    TOKEN_GROUPS *restrict_sids = NULL;
-+    BOOL ret = FALSE;
- 
--    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
--          token, flags, disable_count, disable_sids, delete_count, delete_privs,
--          restrict_count, restrict_sids, ret );
-+    TRACE("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p)\n",
-+          baseToken, flags, nDisableSids, disableSids,
-+          nDeletePrivs, deletePrivs,
-+          nRestrictSids, restrictSids,
-+          newToken);
-+
-+    if (!allocate_groups(&disable_groups, disableSids, nDisableSids))
-+        goto done;
-+
-+    if (!allocate_privileges(&delete_privs, deletePrivs, nDeletePrivs))
-+        goto done;
-+
-+    if (!allocate_groups(&restrict_sids, restrictSids, nRestrictSids))
-+        goto done;
-+
-+    ret = set_ntstatus(NtFilterToken(baseToken, flags, disable_groups, delete_privs, restrict_sids, newToken));
-+
-+done:
-+    heap_free(disable_groups);
-+    heap_free(delete_privs);
-+    heap_free(restrict_sids);
-+    return ret;
- 
--    size = sizeof(type);
--    if (!GetTokenInformation( token, TokenType, &type, size, &size )) return FALSE;
--    if (type == TokenImpersonation)
--    {
--        size = sizeof(level);
--        if (!GetTokenInformation( token, TokenImpersonationLevel, &level, size, &size ))
--            return FALSE;
--    }
--    return DuplicateTokenEx( token, MAXIMUM_ALLOWED, NULL, level, type, ret );
- }
- 
- /******************************************************************************
--- 
-2.20.1
-

patches/advapi32-CreateRestrictedToken/definition

@@ -1 +0,0 @@
-Fixes: [25834] Implement advapi32.CreateRestrictedToken

patches/advapi32-Token_Integrity_Level/0002-server-Implement-token-elevation-information.patch

@@ -1,137 +0,0 @@
-From d2e98b2054a5af671fd81ded32f2cf60a062312c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 00:26:03 +0200
-Subject: [PATCH] server: Implement token elevation information.
-
----
- dlls/ntdll/unix/security.c | 16 ++++++++++++----
- server/protocol.def        |  8 ++++++++
- server/token.c             | 22 +++++++++++++++++++---
- 3 files changed, 39 insertions(+), 7 deletions(-)
-
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index d063d43d6d4..03a81afa46e 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -390,19 +390,27 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         break;
- 
-     case TokenElevationType:
-+        SERVER_START_REQ( get_token_elevation_type )
-         {
-             TOKEN_ELEVATION_TYPE *type = info;
--            FIXME("QueryInformationToken( ..., TokenElevationType, ...) semi-stub\n");
--            *type = TokenElevationTypeFull;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+                *type = reply->elevation;
-         }
-+        SERVER_END_REQ;
-         break;
- 
-     case TokenElevation:
-+        SERVER_START_REQ( get_token_elevation_type )
-         {
-             TOKEN_ELEVATION *elevation = info;
--            FIXME("QueryInformationToken( ..., TokenElevation, ...) semi-stub\n");
--            elevation->TokenIsElevated = TRUE;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+                elevation->TokenIsElevated = (reply->elevation == TokenElevationTypeFull);
-         }
-+        SERVER_END_REQ;
-         break;
- 
-     case TokenSessionId:
-diff --git a/server/protocol.def b/server/protocol.def
-index ee07b1eca14..84f0b577d72 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3566,6 +3566,14 @@ struct handle_info
- @END
- 
- 
-+/* Get elevation level of token */
-+@REQ(get_token_elevation_type)
-+    obj_handle_t   handle;        /* handle to the object */
-+@REPLY
-+    unsigned int   elevation;     /* elevation level */
-+@END
-+
-+
- /* Create I/O completion port */
- @REQ(create_completion)
-     unsigned int access;          /* desired access to a port */
-diff --git a/server/token.c b/server/token.c
-index 38a4c203d54..14343637af5 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -110,6 +110,7 @@ struct token
-     ACL           *default_dacl;    /* the default DACL to assign to objects created by this user */
-     TOKEN_SOURCE   source;          /* source of the token */
-     int            impersonation_level; /* impersonation level this token is capable of if non-primary token */
-+    TOKEN_ELEVATION_TYPE elevation; /* elevation level */
- };
- 
- struct privilege
-@@ -552,7 +553,7 @@ static struct token *create_token( unsigned primary, const SID *user,
-                                    const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count,
-                                    const ACL *default_dacl, TOKEN_SOURCE source,
-                                    const luid_t *modified_id,
--                                   int impersonation_level )
-+                                   int impersonation_level, TOKEN_ELEVATION_TYPE elevation )
- {
-     struct token *token = alloc_object( &token_ops );
-     if (token)
-@@ -574,6 +575,7 @@ static struct token *create_token( unsigned primary, const SID *user,
-             token->impersonation_level = impersonation_level;
-         token->default_dacl = NULL;
-         token->primary_group = NULL;
-+        token->elevation = elevation;
- 
-         /* copy user */
-         token->user = memdup( user, security_sid_len( user ));
-@@ -689,7 +691,8 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
-     token = create_token( primary, src_token->user, NULL, 0,
-                           NULL, 0, src_token->default_dacl,
-                           src_token->source, modified_id,
--                          impersonation_level );
-+                          impersonation_level,
-+                          src_token->elevation );
-     if (!token) return token;
- 
-     /* copy groups */
-@@ -895,7 +898,7 @@ struct token *token_create_admin( void )
-         static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
-         token = create_token( TRUE, user_sid, admin_groups, ARRAY_SIZE( admin_groups ),
-                               admin_privs, ARRAY_SIZE( admin_privs ), default_dacl,
--                              admin_source, NULL, -1 );
-+                              admin_source, NULL, -1, TokenElevationTypeFull );
-         /* we really need a primary group */
-         assert( token->primary_group );
-     }
-@@ -1634,6 +1637,19 @@ DECL_HANDLER(get_token_statistics)
-     }
- }
- 
-+DECL_HANDLER(get_token_elevation_type)
-+{
-+    struct token *token;
-+
-+    if ((token = (struct token *)get_handle_obj( current->process, req->handle,
-+                                                 TOKEN_QUERY,
-+                                                 &token_ops )))
-+    {
-+        reply->elevation = token->elevation;
-+        release_object( token );
-+    }
-+}
-+
- DECL_HANDLER(get_token_default_dacl)
- {
-     struct token *token;
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/0003-server-Correctly-treat-zero-access-mask-in-duplicate.patch

@@ -1,81 +0,0 @@
-From 7e73f449d158f0d6a6b6b421d073dbaf1741e1c7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Mon, 7 Aug 2017 02:22:11 +0200
-Subject: server: Correctly treat zero access mask in duplicate_token
- wineserver call.
-
----
- dlls/advapi32/tests/security.c | 14 +++++++-------
- server/token.c                 |  3 ++-
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
-index 4a03db27e69..f1a64e29dea 100644
---- a/dlls/advapi32/tests/security.c
-+++ b/dlls/advapi32/tests/security.c
-@@ -7438,7 +7438,7 @@ static void test_token_security_descriptor(void)
-             ret = DuplicateTokenEx(token4, 0, NULL, SecurityImpersonation, TokenImpersonation, &token5);
-             ok(ret, "DuplicateTokenEx failed with error %u\n", GetLastError());
-             ret = SetThreadToken(NULL, token5);
--            todo_wine ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-+            ok(ret, "SetThreadToken failed with error %u\n", GetLastError());
-             CloseHandle(token4);
- 
-             /* Restrict current process token while impersonating a medium integrity token */
-@@ -7503,16 +7503,16 @@ static void test_token_security_descriptor(void)
- 
-             size = 0;
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--            todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+            ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-                "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-             sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-             ret = GetKernelObjectSecurity(token6, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--            todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+            ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-             sacl = NULL;
-             ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--            todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+            ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-             todo_wine ok(present, "No SACL in the security descriptor\n");
-             todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-@@ -7606,16 +7606,16 @@ static void test_token_security_descriptor(void)
- 
-         size = 0;
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, NULL, 0, &size);
--        todo_wine ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-+        ok(!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER,
-            "Unexpected GetKernelObjectSecurity return value %u, error %u\n", ret, GetLastError());
- 
-         sd3 = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size);
-         ret = GetKernelObjectSecurity(token4, LABEL_SECURITY_INFORMATION, sd3, size, &size);
--        todo_wine ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
-+        ok(ret, "GetKernelObjectSecurity failed with error %u\n", GetLastError());
- 
-         sacl = NULL;
-         ret = GetSecurityDescriptorSacl(sd3, &present, &sacl, &defaulted);
--        todo_wine ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-+        ok(ret, "GetSecurityDescriptorSacl failed with error %u\n", GetLastError());
-         todo_wine ok(present, "No SACL in the security descriptor\n");
-         todo_wine ok(sacl != NULL, "NULL SACL in the security descriptor\n");
- 
-diff --git a/server/token.c b/server/token.c
-index 6a1085bae12..292e1df80fd 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -1376,7 +1376,8 @@ DECL_HANDLER(duplicate_token)
-         struct token *token = token_duplicate( src_token, req->primary, req->impersonation_level, sd, NULL, 0, NULL, 0 );
-         if (token)
-         {
--            reply->new_handle = alloc_handle_no_access_check( current->process, token, req->access, objattr->attributes );
-+            unsigned int access = req->access ? req->access : get_handle_access( current->process, req->handle );
-+            reply->new_handle = alloc_handle_no_access_check( current->process, token, access, objattr->attributes );
-             release_object( token );
-         }
-         release_object( src_token );
--- 
-2.13.1
-

patches/advapi32-Token_Integrity_Level/0005-server-Use-all-group-attributes-in-create_token.patch

@@ -1,46 +0,0 @@
-From 48f4c131f9e8ffc091dde12437ad0772ed1c5ca6 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Sun, 6 Aug 2017 15:16:33 +0200
-Subject: server: Use all group attributes in create_token.
-
----
- server/token.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/server/token.c b/server/token.c
-index 0019b3a..2a56664 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -592,13 +592,13 @@ static struct token *create_token( unsigned primary, const SID *user,
-                 return NULL;
-             }
-             memcpy( &group->sid, groups[i].Sid, security_sid_len( groups[i].Sid ));
--            group->enabled = TRUE;
--            group->def = TRUE;
--            group->logon = (groups[i].Attributes & SE_GROUP_LOGON_ID) != 0;
-             group->mandatory = (groups[i].Attributes & SE_GROUP_MANDATORY) != 0;
--            group->owner = (groups[i].Attributes & SE_GROUP_OWNER) != 0;
--            group->resource = FALSE;
--            group->deny_only = FALSE;
-+            group->def       = (groups[i].Attributes & SE_GROUP_ENABLED_BY_DEFAULT) != 0;
-+            group->enabled   = (groups[i].Attributes & SE_GROUP_ENABLED) != 0;
-+            group->owner     = (groups[i].Attributes & SE_GROUP_OWNER) != 0;
-+            group->deny_only = (groups[i].Attributes & SE_GROUP_USE_FOR_DENY_ONLY) != 0;
-+            group->logon     = (groups[i].Attributes & SE_GROUP_LOGON_ID) != 0;
-+            group->resource  = (groups[i].Attributes & SE_GROUP_RESOURCE) != 0;
-             list_add_tail( &token->groups, &group->entry );
-             /* Use first owner capable group as owner and primary group */
-             if (!token->primary_group && group->owner)
-@@ -1603,8 +1603,8 @@ DECL_HANDLER(get_token_groups)
-                     if (group->enabled) *attr_ptr |= SE_GROUP_ENABLED;
-                     if (group->owner) *attr_ptr |= SE_GROUP_OWNER;
-                     if (group->deny_only) *attr_ptr |= SE_GROUP_USE_FOR_DENY_ONLY;
--                    if (group->resource) *attr_ptr |= SE_GROUP_RESOURCE;
-                     if (group->logon) *attr_ptr |= SE_GROUP_LOGON_ID;
-+                    if (group->resource) *attr_ptr |= SE_GROUP_RESOURCE;
- 
-                     memcpy(sid_ptr, &group->sid, security_sid_len( &group->sid ));
- 
--- 
-2.7.4
-

patches/advapi32-Token_Integrity_Level/0006-ntdll-Add-function-to-create-new-tokens-for-elevatio.patch

@@ -1,219 +0,0 @@
-From c47977a8bbd739483589d1f01cfece435be1c100 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 01:45:29 +0200
-Subject: [PATCH] ntdll: Add function to create new tokens for elevation
- purposes.
-
----
- dlls/ntdll/ntdll.spec   |  3 ++
- dlls/ntdll/ntdll_misc.h |  3 ++
- dlls/ntdll/process.c    | 18 +++++++++
- server/protocol.def     |  8 ++++
- server/security.h       |  1 +
- server/token.c          | 84 +++++++++++++++++++++++++++++++++++++++++
- 6 files changed, 117 insertions(+)
-
-diff --git a/dlls/ntdll/ntdll.spec b/dlls/ntdll/ntdll.spec
-index 0997c310110..8e3786e1972 100644
---- a/dlls/ntdll/ntdll.spec
-+++ b/dlls/ntdll/ntdll.spec
-@@ -1600,6 +1600,9 @@
- # Virtual memory
- @ cdecl __wine_locked_recvmsg(long ptr long)
- 
-+# Token
-+@ cdecl __wine_create_default_token(long)
-+
- # Version
- @ cdecl wine_get_version()
- @ cdecl wine_get_build_id()
-diff --git a/dlls/ntdll/ntdll_misc.h b/dlls/ntdll/ntdll_misc.h
-index 63ceac42e94..5a98501381b 100644
---- a/dlls/ntdll/ntdll_misc.h
-+++ b/dlls/ntdll/ntdll_misc.h
-@@ -67,6 +67,9 @@ extern void init_user_process_params(void) DECLSPEC_HIDDEN;
- extern NTSTATUS restart_process( RTL_USER_PROCESS_PARAMETERS *params, NTSTATUS status ) DECLSPEC_HIDDEN;
- extern void CDECL DECLSPEC_NORETURN signal_start_thread( CONTEXT *ctx ) DECLSPEC_HIDDEN;
- 
-+/* token */
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
-+
- /* server support */
- extern BOOL is_wow64 DECLSPEC_HIDDEN;
- 
-diff --git a/dlls/ntdll/process.c b/dlls/ntdll/process.c
-index 77ba5b371e2..3e91a1fa9c4 100644
---- a/dlls/ntdll/process.c
-+++ b/dlls/ntdll/process.c
-@@ -72,6 +72,24 @@ HANDLE CDECL __wine_make_process_system(void)
-     return ret;
- }
- 
-+/***********************************************************************
-+ *           __wine_create_default_token   (NTDLL.@)
-+ *
-+ * Creates a default limited or admin token.
-+ */
-+HANDLE CDECL __wine_create_default_token( BOOL admin )
-+{
-+    HANDLE ret = NULL;
-+    SERVER_START_REQ( create_token )
-+    {
-+        req->admin = admin;
-+        if (!wine_server_call( req ))
-+            ret = wine_server_ptr_handle( reply->token );
-+    }
-+    SERVER_END_REQ;
-+    return ret;
-+}
-+
- /***********************************************************************
-  *           restart_process
-  */
-diff --git a/server/protocol.def b/server/protocol.def
-index 30a102d7b82..a9308904afc 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -3481,6 +3481,14 @@ struct handle_info
- @END
- 
- 
-+/* Create a new token */
-+@REQ(create_token)
-+    unsigned int  admin;        /* admin or limited token */
-+@REPLY
-+    obj_handle_t  token;        /* handle for new token */
-+@END
-+
-+
- /* Create I/O completion port */
- @REQ(create_completion)
-     unsigned int access;          /* desired access to a port */
-diff --git a/server/security.h b/server/security.h
-index 6c337143c3d..21e90ccf23f 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -49,6 +49,7 @@ extern const PSID security_builtin_users_sid;
- extern const PSID security_builtin_admins_sid;
- extern const PSID security_domain_users_sid;
- extern const PSID security_high_label_sid;
-+extern const PSID security_medium_label_sid;
- 
- 
- /* token functions */
-diff --git a/server/token.c b/server/token.c
-index c4f1cd943c2..970ed1838da 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -77,6 +77,7 @@ static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORIT
- static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
- static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
- static const SID high_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_HIGH_RID } };
-+static const SID medium_label_sid = { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY }, { SECURITY_MANDATORY_MEDIUM_RID } };
- static const SID_N(5) local_user_sid = { SID_REVISION, 5, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
- static const SID_N(2) builtin_admins_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
- static const SID_N(2) builtin_users_sid = { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
-@@ -93,6 +94,7 @@ const PSID security_builtin_admins_sid = (PSID)&builtin_admins_sid;
- const PSID security_builtin_users_sid = (PSID)&builtin_users_sid;
- const PSID security_domain_users_sid = (PSID)&domain_users_sid;
- const PSID security_high_label_sid = (PSID)&high_label_sid;
-+const PSID security_medium_label_sid = (PSID)&medium_label_sid;
- 
- static luid_t prev_luid_value = { 1000, 0 };
- 
-@@ -915,6 +917,64 @@ struct token *token_create_admin( void )
-     return token;
- }
- 
-+static struct token *token_create_limited( void )
-+{
-+    struct token *token = NULL;
-+    static const SID_IDENTIFIER_AUTHORITY nt_authority = { SECURITY_NT_AUTHORITY };
-+    static const unsigned int alias_admins_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS };
-+    static const unsigned int alias_users_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS };
-+    /* on Windows, this value changes every time the user logs on */
-+    static const unsigned int logon_subauth[] = { SECURITY_LOGON_IDS_RID, 0, 1 /* FIXME: should be randomly generated when tokens are inherited by new processes */ };
-+    PSID alias_admins_sid;
-+    PSID alias_users_sid;
-+    PSID logon_sid;
-+    const SID *user_sid = security_unix_uid_to_sid( getuid() );
-+    ACL *default_dacl = create_default_dacl( user_sid );
-+
-+    alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]),
-+                                           alias_admins_subauth );
-+    alias_users_sid = security_sid_alloc( &nt_authority, sizeof(alias_users_subauth)/sizeof(alias_users_subauth[0]),
-+                                          alias_users_subauth );
-+    logon_sid = security_sid_alloc( &nt_authority, sizeof(logon_subauth)/sizeof(logon_subauth[0]),
-+                                    logon_subauth );
-+
-+    if (alias_admins_sid && alias_users_sid && logon_sid && default_dacl)
-+    {
-+        const LUID_AND_ATTRIBUTES user_privs[] =
-+        {
-+            { SeChangeNotifyPrivilege        , SE_PRIVILEGE_ENABLED },
-+            { SeShutdownPrivilege            , 0                    },
-+            { SeUndockPrivilege              , 0                    },
-+        };
-+        /* note: we don't include non-builtin groups here for the user -
-+         * telling us these is the job of a client-side program */
-+        const SID_AND_ATTRIBUTES user_groups[] =
-+        {
-+            { security_world_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_local_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_interactive_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_authenticated_user_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { security_domain_users_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_OWNER },
-+            { alias_admins_sid, SE_GROUP_USE_FOR_DENY_ONLY },
-+            { alias_users_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
-+            { logon_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY|SE_GROUP_LOGON_ID },
-+        };
-+        static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
-+        token = create_token( TRUE, user_sid, user_groups, sizeof(user_groups)/sizeof(user_groups[0]),
-+                              user_privs, sizeof(user_privs)/sizeof(user_privs[0]), default_dacl,
-+                              admin_source, NULL, -1, TokenElevationTypeLimited, &medium_label_sid );
-+        /* we really need a primary group */
-+        assert( token->primary_group );
-+    }
-+
-+    free( logon_sid );
-+    free( alias_admins_sid );
-+    free( alias_users_sid );
-+    free( default_dacl );
-+
-+    return token;
-+}
-+
- static struct privilege *token_find_privilege( struct token *token, const LUID *luid, int enabled_only )
- {
-     struct privilege *privilege;
-@@ -1720,3 +1780,27 @@ DECL_HANDLER(set_token_default_dacl)
-         release_object( token );
-     }
- }
-+
-+DECL_HANDLER(create_token)
-+{
-+    struct token *token;
-+    PSID label;
-+
-+    if (req->admin)
-+    {
-+        token = token_create_admin();
-+        label = security_high_label_sid;
-+    }
-+    else
-+    {
-+        token = token_create_limited();
-+        label = security_medium_label_sid;
-+    }
-+
-+    if (token)
-+    {
-+        if (token_assign_label( token, label ))
-+            reply->token = alloc_handle( current->process, token, TOKEN_ALL_ACCESS, 0 );
-+        release_object( token );
-+    }
-+}
--- 
-2.28.0
-

patches/advapi32-Token_Integrity_Level/0007-shell32-Implement-process-elevation-using-runas-verb.patch

@@ -1,66 +0,0 @@
-From cf24ca0854a5b0dca2055f0991fd9a932125c65e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sat, 5 Aug 2017 02:03:20 +0200
-Subject: shell32: Implement process elevation using runas verb.
-
----
- dlls/shell32/shlexec.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/dlls/shell32/shlexec.c b/dlls/shell32/shlexec.c
-index 0cf112b6373..af50078dbca 100644
---- a/dlls/shell32/shlexec.c
-+++ b/dlls/shell32/shlexec.c
-@@ -50,6 +50,8 @@
- 
- WINE_DEFAULT_DEBUG_CHANNEL(exec);
- 
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
-+
- static const WCHAR wszOpen[] = {'o','p','e','n',0};
- static const WCHAR wszExe[] = {'.','e','x','e',0};
- static const WCHAR wszILPtr[] = {':','%','p',0};
-@@ -312,6 +314,8 @@ static HRESULT SHELL_GetPathFromIDListForExecuteW(LPCITEMIDLIST pidl, LPWSTR psz
- static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
- 			    const SHELLEXECUTEINFOW *psei, LPSHELLEXECUTEINFOW psei_out)
- {
-+    static WCHAR runasW[] = {'r','u','n','a','s',0};
-+    HANDLE token = NULL;
-     STARTUPINFOW  startup;
-     PROCESS_INFORMATION info;
-     UINT_PTR retval = SE_ERR_NOASSOC;
-@@ -344,8 +348,20 @@ static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
-     dwCreationFlags = CREATE_UNICODE_ENVIRONMENT;
-     if (!(psei->fMask & SEE_MASK_NO_CONSOLE))
-         dwCreationFlags |= CREATE_NEW_CONSOLE;
--    if (CreateProcessW(NULL, (LPWSTR)lpCmd, NULL, NULL, FALSE, dwCreationFlags, env,
--                       lpDirectory, &startup, &info))
-+
-+    /* Spawning a process with runas verb means that the process should be
-+     * executed with admin rights. This function ignores the manifest data,
-+     * and allows programs to elevate rights on-demand. On Windows a complex
-+     * RPC menchanism is used, using CreateProcessAsUser would fail because
-+     * it can only be used to drop rights. */
-+    if (psei->lpVerb && !strcmpiW(psei->lpVerb, runasW))
-+    {
-+        if (!(token = __wine_create_default_token(TRUE)))
-+            ERR("Failed to create admin token\n");
-+    }
-+
-+    if (CreateProcessAsUserW(token, NULL, (LPWSTR)lpCmd, NULL, NULL, FALSE,
-+                             dwCreationFlags, env, lpDirectory, &startup, &info))
-     {
-         /* Give 30 seconds to the app to come up, if desired. Probably only needed
-            when starting app immediately before making a DDE connection. */
-@@ -365,6 +381,8 @@ static UINT_PTR SHELL_ExecuteW(const WCHAR *lpCmd, WCHAR *env, BOOL shWait,
-         retval = ERROR_BAD_FORMAT;
-     }
- 
-+    if (token) CloseHandle(token);
-+
-     TRACE("returning %lu\n", retval);
- 
-     psei_out->hInstApp = (HINSTANCE)retval;
--- 
-2.13.1
-

patches/advapi32-Token_Integrity_Level/0015-ntdll-Add-semi-stub-for-TokenLinkedToken-info-class.patch

@@ -1,67 +0,0 @@
-From e34d019222909281390f83149be755a4145024c4 Mon Sep 17 00:00:00 2001
-From: Sebastian Lackner <sebastian@fds-team.de>
-Date: Mon, 7 Aug 2017 15:28:33 +0200
-Subject: [PATCH] ntdll: Add semi-stub for TokenLinkedToken info class.
-
----
- dlls/ntdll/unix/security.c | 30 +++++++++++++++++++++++++++++-
- 1 file changed, 29 insertions(+), 1 deletion(-)
-
-diff --git a/dlls/ntdll/unix/security.c b/dlls/ntdll/unix/security.c
-index f0057116dee..2769e5f6a7b 100644
---- a/dlls/ntdll/unix/security.c
-+++ b/dlls/ntdll/unix/security.c
-@@ -138,6 +138,7 @@ NTSTATUS WINAPI NtDuplicateToken( HANDLE token, ACCESS_MASK access, OBJECT_ATTRI
-     return status;
- }
- 
-+extern HANDLE CDECL __wine_create_default_token(BOOL admin);
- 
- /***********************************************************************
-  *             NtQueryInformationToken  (NTDLL.@)
-@@ -166,7 +167,7 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         0,    /* TokenAuditPolicy */
-         0,    /* TokenOrigin */
-         sizeof(TOKEN_ELEVATION_TYPE), /* TokenElevationType */
--        0,    /* TokenLinkedToken */
-+        sizeof(TOKEN_LINKED_TOKEN), /* TokenLinkedToken */
-         sizeof(TOKEN_ELEVATION), /* TokenElevation */
-         0,    /* TokenHasRestrictions */
-         0,    /* TokenAccessInformation */
-@@ -401,6 +402,33 @@ NTSTATUS WINAPI NtQueryInformationToken( HANDLE token, TOKEN_INFORMATION_CLASS c
-         SERVER_END_REQ;
-         break;
- 
-+    case TokenLinkedToken:
-+        SERVER_START_REQ( get_token_elevation_type )
-+        {
-+            TOKEN_LINKED_TOKEN *linked_token = info;
-+            req->handle = wine_server_obj_handle( token );
-+            status = wine_server_call( req );
-+            if (status == STATUS_SUCCESS)
-+            {
-+                HANDLE token;
-+                /* FIXME: On Wine we do not have real linked tokens yet. Typically, a
-+                 * program running with admin privileges is linked to a limited token,
-+                 * and vice versa. We just create a new token instead of storing links
-+                 * on the wineserver side. Using TokenLinkedToken twice should return
-+                 * back the original token. */
-+                if ((reply->elevation == TokenElevationTypeFull || reply->elevation == TokenElevationTypeLimited) &&
-+                    (token = __wine_create_default_token( reply->elevation != TokenElevationTypeFull )))
-+                {
-+                    status = NtDuplicateToken( token, 0, NULL, SecurityIdentification, TokenImpersonation, &linked_token->LinkedToken );
-+                    NtClose( token );
-+                }
-+                else
-+                    status = STATUS_NO_TOKEN;
-+            }
-+        }
-+        SERVER_END_REQ;
-+        break;
-+
-     case TokenElevation:
-         SERVER_START_REQ( get_token_elevation_type )
-         {
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/XX10-server-Implement-support-for-creating-processes-usin.patch

@@ -1,310 +0,0 @@
-From 9c61f6acfa2c43e43f07fae1a5cd447573b9529b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
-Date: Sun, 6 Aug 2017 02:08:05 +0200
-Subject: [PATCH] server: Implement support for creating processes using a
- token.
-
----
- dlls/kernelbase/process.c | 24 +++++++++++++-----------
- dlls/ntdll/unix/process.c |  1 +
- server/process.c          | 39 +++++++++++++++++++++++++++++++++++----
- server/process.h          |  2 +-
- server/protocol.def       |  1 +
- server/request.c          |  2 +-
- server/security.h         |  2 ++
- server/token.c            | 11 +++++++++++
- 8 files changed, 65 insertions(+), 17 deletions(-)
-
-diff --git a/dlls/kernelbase/process.c b/dlls/kernelbase/process.c
-index a3b168543fc..b5c8b47239d 100644
---- a/dlls/kernelbase/process.c
-+++ b/dlls/kernelbase/process.c
-@@ -244,7 +244,7 @@ static RTL_USER_PROCESS_PARAMETERS *create_process_params( const WCHAR *filename
- /***********************************************************************
-  *           create_nt_process
-  */
--static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_nt_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                    BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                    RTL_USER_PROCESS_INFORMATION *info, HANDLE parent )
- {
-@@ -259,7 +259,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
-         status = RtlCreateUserProcess( &nameW, OBJ_CASE_INSENSITIVE, params,
-                                        psa ? psa->lpSecurityDescriptor : NULL,
-                                        tsa ? tsa->lpSecurityDescriptor : NULL,
--                                       parent, inherit, 0, 0, info );
-+                                       parent, inherit, 0, token, info );
-         RtlFreeUnicodeString( &nameW );
-     }
-     return status;
-@@ -269,7 +269,7 @@ static NTSTATUS create_nt_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES
- /***********************************************************************
-  *           create_vdm_process
-  */
--static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_vdm_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -290,7 +290,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-               winevdm, params->ImagePathName.Buffer, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, winevdm );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     HeapFree( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -299,7 +299,7 @@ static NTSTATUS create_vdm_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
- /***********************************************************************
-  *           create_cmd_process
-  */
--static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-+static NTSTATUS create_cmd_process( HANDLE token, SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTES *tsa,
-                                     BOOL inherit, DWORD flags, RTL_USER_PROCESS_PARAMETERS *params,
-                                     RTL_USER_PROCESS_INFORMATION *info )
- {
-@@ -318,7 +318,7 @@ static NTSTATUS create_cmd_process( SECURITY_ATTRIBUTES *psa, SECURITY_ATTRIBUTE
-     swprintf( newcmdline, len, L"%s /s/c \"%s\"", comspec, params->CommandLine.Buffer );
-     RtlInitUnicodeString( &params->ImagePathName, comspec );
-     RtlInitUnicodeString( &params->CommandLine, newcmdline );
--    status = create_nt_process( psa, tsa, inherit, flags, params, info, NULL );
-+    status = create_nt_process( token, psa, tsa, inherit, flags, params, info, NULL );
-     RtlFreeHeap( GetProcessHeap(), 0, newcmdline );
-     return status;
- }
-@@ -450,7 +450,9 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
- 
-     TRACE( "app %s cmdline %s\n", debugstr_w(app_name), debugstr_w(cmd_line) );
- 
--    if (token) FIXME( "Creating a process with a token is not yet implemented\n" );
-+    /* FIXME: Starting a process which requires admin rights should fail
-+     * with ERROR_ELEVATION_REQUIRED when no token is passed. */
-+
-     if (new_token) FIXME( "No support for returning created process token\n" );
- 
-     if (app_name)
-@@ -523,7 +525,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         }
-     }
- 
--    status = create_nt_process( process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-+    status = create_nt_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info, parent );
-     switch (status)
-     {
-     case STATUS_SUCCESS:
-@@ -532,7 +534,7 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-     case STATUS_INVALID_IMAGE_NE_FORMAT:
-     case STATUS_INVALID_IMAGE_PROTECT:
-         TRACE( "starting %s as Win16/DOS binary\n", debugstr_w(app_name) );
--        status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+        status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         break;
-     case STATUS_INVALID_IMAGE_NOT_MZ:
-         /* check for .com or .bat extension */
-@@ -540,12 +542,12 @@ BOOL WINAPI DECLSPEC_HOTPATCH CreateProcessInternalW( HANDLE token, const WCHAR
-         if (!wcsicmp( p, L".com" ) || !wcsicmp( p, L".pif" ))
-         {
-             TRACE( "starting %s as DOS binary\n", debugstr_w(app_name) );
--            status = create_vdm_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_vdm_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         else if (!wcsicmp( p, L".bat" ) || !wcsicmp( p, L".cmd" ))
-         {
-             TRACE( "starting %s as batch binary\n", debugstr_w(app_name) );
--            status = create_cmd_process( process_attr, thread_attr, inherit, flags, params, &rtl_info );
-+            status = create_cmd_process( token, process_attr, thread_attr, inherit, flags, params, &rtl_info );
-         }
-         break;
-     }
-diff --git a/dlls/ntdll/unix/process.c b/dlls/ntdll/unix/process.c
-index cca6c2747bf..379a0036b63 100644
---- a/dlls/ntdll/unix/process.c
-+++ b/dlls/ntdll/unix/process.c
-@@ -827,6 +827,7 @@ NTSTATUS WINAPI NtCreateUserProcess( HANDLE *process_handle_ptr, HANDLE *thread_
-         req->access         = process_access;
-         req->cpu            = pe_info.cpu;
-         req->info_size      = startup_info_size;
-+        req->token          = wine_server_obj_handle( token );
-         wine_server_add_data( req, objattr, attr_len );
-         wine_server_add_data( req, startup_info, startup_info_size );
-         wine_server_add_data( req, params->Environment, env_size );
-diff --git a/server/process.c b/server/process.c
-index 52604ec4d61..047916ffd09 100644
---- a/server/process.c
-+++ b/server/process.c
-@@ -499,7 +499,7 @@ static void start_sigkill_timer( struct process *process )
- /* create a new process */
- /* if the function fails the fd is closed */
- struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                const struct security_descriptor *sd )
-+                                const struct security_descriptor *sd, struct token *token )
- {
-     struct process *process;
- 
-@@ -576,7 +576,7 @@ struct process *create_process( int fd, struct process *parent, int inherit_all,
-                                        : alloc_handle_table( process, 0 );
-         /* Note: for security reasons, starting a new process does not attempt
-          * to use the current impersonation token for the new process */
--        process->token = token_duplicate( parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-+        process->token = token_duplicate( token ? token : parent->token, TRUE, 0, NULL, NULL, 0, NULL, 0 );
-         process->affinity = parent->affinity;
-     }
-     if (!process->handles || !process->token) goto error;
-@@ -1132,6 +1132,7 @@ DECL_HANDLER(new_process)
-     const struct security_descriptor *sd;
-     const struct object_attributes *objattr = get_req_object_attributes( &sd, &name, NULL );
-     struct process *process = NULL;
-+    struct token *token = NULL;
-     struct process *parent;
-     struct thread *parent_thread = current;
-     int socket_fd = thread_get_inflight_fd( current, req->socket_fd );
-@@ -1185,10 +1186,39 @@ DECL_HANDLER(new_process)
-         return;
-     }
- 
-+    if (req->token)
-+    {
-+        token = get_token_from_handle( req->token, TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY );
-+        if (!token)
-+        {
-+            close( socket_fd );
-+            return;
-+        }
-+        if (!token_is_primary( token ))
-+        {
-+            set_error( STATUS_BAD_TOKEN_TYPE );
-+            release_object( token );
-+            close( socket_fd );
-+            return;
-+        }
-+    }
-+
-+    if (!req->info_size)  /* create an orphaned process */
-+    {
-+        if ((process = create_process( socket_fd, NULL, 0, sd, token )))
-+        {
-+            create_thread( -1, process, NULL );
-+            release_object( process );
-+        }
-+        if (token) release_object( token );
-+        return;
-+    }
-+
-     /* build the startup info for a new process */
-     if (!(info = alloc_object( &startup_info_ops )))
-     {
-         close( socket_fd );
-+        if (token) release_object( token );
-         release_object( parent );
-         return;
-     }
-@@ -1236,7 +1266,7 @@ DECL_HANDLER(new_process)
- #undef FIXUP_LEN
-     }
- 
--    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd ))) goto done;
-+    if (!(process = create_process( socket_fd, parent, req->inherit_all, sd, token ))) goto done;
- 
-     process->startup_info = (struct startup_info *)grab_object( info );
- 
-@@ -1297,6 +1327,7 @@ DECL_HANDLER(new_process)
-     reply->handle = alloc_handle_no_access_check( current->process, process, req->access, objattr->attributes );
- 
-  done:
-+    if (token) release_object( token );
-     if (process) release_object( process );
-     release_object( parent );
-     release_object( info );
-@@ -1330,7 +1361,7 @@ DECL_HANDLER(exec_process)
-         close( socket_fd );
-         return;
-     }
--    if (!(process = create_process( socket_fd, NULL, 0, NULL ))) return;
-+    if (!(process = create_process( socket_fd, NULL, 0, NULL, NULL ))) return;
-     create_thread( -1, process, NULL );
-     release_object( process );
- }
-diff --git a/server/process.h b/server/process.h
-index dfe5c4e52d8..61b83abf693 100644
---- a/server/process.h
-+++ b/server/process.h
-@@ -118,7 +118,7 @@ extern unsigned int alloc_ptid( void *ptr );
- extern void free_ptid( unsigned int id );
- extern void *get_ptid_entry( unsigned int id );
- extern struct process *create_process( int fd, struct process *parent, int inherit_all,
--                                       const struct security_descriptor *sd );
-+                                       const struct security_descriptor *sd, struct token *token );
- extern data_size_t init_process( struct thread *thread );
- extern struct thread *get_process_first_thread( struct process *process );
- extern struct process *get_process_from_id( process_id_t id );
-diff --git a/server/protocol.def b/server/protocol.def
-index 901c380b721..8c86967609f 100644
---- a/server/protocol.def
-+++ b/server/protocol.def
-@@ -801,6 +801,7 @@ struct rawinput_device
-     unsigned int access;         /* access rights for process object */
-     client_cpu_t cpu;            /* CPU that the new process will use */
-     data_size_t  info_size;      /* size of startup info */
-+    obj_handle_t token;          /* token for the new process */
-     VARARG(objattr,object_attributes);   /* object attributes */
-     VARARG(info,startup_info,info_size); /* startup information */
-     VARARG(env,unicode_str);     /* environment for new process */
-diff --git a/server/request.c b/server/request.c
-index 4c1f30a5fe7..321bb6cfa81 100644
---- a/server/request.c
-+++ b/server/request.c
-@@ -582,7 +582,7 @@ static void master_socket_poll_event( struct fd *fd, int event )
-         int client = accept( get_unix_fd( master_socket->fd ), (struct sockaddr *) &dummy, &len );
-         if (client == -1) return;
-         fcntl( client, F_SETFL, O_NONBLOCK );
--        if ((process = create_process( client, NULL, 0, NULL )))
-+        if ((process = create_process( client, NULL, 0, NULL, NULL )))
-         {
-             create_thread( -1, process, NULL );
-             release_object( process );
-diff --git a/server/security.h b/server/security.h
-index 21e90ccf23f..32dfe5f8db9 100644
---- a/server/security.h
-+++ b/server/security.h
-@@ -67,6 +67,8 @@ extern const ACL *token_get_default_dacl( struct token *token );
- extern const SID *token_get_user( struct token *token );
- extern const SID *token_get_primary_group( struct token *token );
- extern int token_sid_present( struct token *token, const SID *sid, int deny);
-+extern struct token *get_token_from_handle( obj_handle_t handle, unsigned int access );
-+extern int token_is_primary( struct token *token );
- 
- static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace )
- {
-diff --git a/server/token.c b/server/token.c
-index 1c1d49989b3..2f466aa1b25 100644
---- a/server/token.c
-+++ b/server/token.c
-@@ -843,6 +843,12 @@ int token_assign_label( struct token *token, PSID label )
-     return ret;
- }
- 
-+struct token *get_token_from_handle( obj_handle_t handle, unsigned int access )
-+{
-+    return (struct token *)get_handle_obj( current->process, handle,
-+                                           access, &token_ops );
-+}
-+
- struct token *token_create_admin( void )
- {
-     struct token *token = NULL;
-@@ -1269,6 +1275,11 @@ const SID *token_get_primary_group( struct token *token )
-     return token->primary_group;
- }
- 
-+int token_is_primary( struct token *token )
-+{
-+    return token->primary;
-+}
-+
- int check_object_access(struct object *obj, unsigned int *access)
- {
-     GENERIC_MAPPING mapping;
--- 
-2.27.0
-

patches/advapi32-Token_Integrity_Level/definition

@@ -1,6 +1,5 @@
 Fixes: [40613] Basic implementation for token integrity levels and UAC handling
 Fixes: [39262] Run explorer.exe as unevaluated process
-Depends: advapi32-CreateRestrictedToken
 Depends: Staging
 # Broken due to ntdll.so <- ntdll.dll imports. This isn't particularly difficult
 # to fix, but it was already broken for some more obscure reason, and the whole

patches/api-ms-win-Stub_DLLs/0006-iertutil-Add-dll-and-add-stub-for-ordinal-811.patch

@@ -1,23 +1,23 @@
-From 19683a27eaaed9c23635e9b5fa768a6c120a2ace Mon Sep 17 00:00:00 2001
+From 9bdd47614e24f12a292c18bdc9d81e55744b6e5f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Sun, 17 Jan 2016 01:11:46 +0100
 Subject: [PATCH] iertutil: Add dll and add stub for ordinal 811.
 
 ---
  configure.ac                |   1 +
- dlls/iertutil/Makefile.in   |   4 +
- dlls/iertutil/iertutil.spec | 521 ++++++++++++++++++++++++++++++++++++++++++++
- dlls/iertutil/main.c        |  48 ++++
- 4 files changed, 574 insertions(+)
+ dlls/iertutil/Makefile.in   |   6 +
+ dlls/iertutil/iertutil.spec | 521 ++++++++++++++++++++++++++++++++++++
+ dlls/iertutil/main.c        |  31 +++
+ 4 files changed, 559 insertions(+)
  create mode 100644 dlls/iertutil/Makefile.in
  create mode 100644 dlls/iertutil/iertutil.spec
  create mode 100644 dlls/iertutil/main.c
 
 diff --git a/configure.ac b/configure.ac
-index 5c97c1c..d70dcea 100644
+index caff5d1fe52..91b95b8e7b1 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3286,6 +3286,7 @@ WINE_CONFIG_MAKEFILE(dlls/icmp)
+@@ -3342,6 +3342,7 @@ WINE_CONFIG_MAKEFILE(dlls/icmp)
  WINE_CONFIG_MAKEFILE(dlls/ieframe)
  WINE_CONFIG_MAKEFILE(dlls/ieframe/tests)
  WINE_CONFIG_MAKEFILE(dlls/ieproxy)
@@ -27,17 +27,19 @@ index 5c97c1c..d70dcea 100644
  WINE_CONFIG_MAKEFILE(dlls/imagehlp)
 diff --git a/dlls/iertutil/Makefile.in b/dlls/iertutil/Makefile.in
 new file mode 100644
-index 0000000..268026e
+index 00000000000..47f9d228812
 --- /dev/null
 +++ b/dlls/iertutil/Makefile.in
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,6 @@
 +MODULE    = iertutil.dll
 +
++EXTRADLLFLAGS = -mno-cygwin -Wb,--prefer-native
++
 +C_SRCS = \
 +	main.c
 diff --git a/dlls/iertutil/iertutil.spec b/dlls/iertutil/iertutil.spec
 new file mode 100644
-index 0000000..a13779b
+index 00000000000..a13779bebbd
 --- /dev/null
 +++ b/dlls/iertutil/iertutil.spec
 @@ -0,0 +1,521 @@
@@ -564,10 +566,10 @@ index 0000000..a13779b
 +@ stub UriFromHostAndScheme
 diff --git a/dlls/iertutil/main.c b/dlls/iertutil/main.c
 new file mode 100644
-index 0000000..2b993a4
+index 00000000000..4e5e9f086b3
 --- /dev/null
 +++ b/dlls/iertutil/main.c
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,31 @@
 +/*
 + * Copyright 2016 Michael Müller
 + *
@@ -586,7 +588,6 @@ index 0000000..2b993a4
 + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 + */
 +
-+#include "config.h"
 +#include <stdarg.h>
 +
 +#include "windef.h"
@@ -595,27 +596,11 @@ index 0000000..2b993a4
 +
 +WINE_DEFAULT_DEBUG_CHANNEL(iertutil);
 +
-+BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, void *reserved)
-+{
-+    TRACE("(%p, %u, %p)\n", instance, reason, reserved);
-+
-+    switch (reason)
-+    {
-+        case DLL_WINE_PREATTACH:
-+            return FALSE;  /* prefer native version */
-+        case DLL_PROCESS_ATTACH:
-+            DisableThreadLibraryCalls(instance);
-+            break;
-+    }
-+
-+    return TRUE;
-+}
-+
 +BOOL WINAPI IERTUTIL_811(void *unknown)
 +{
 +    FIXME("(%p): stub\n", unknown);
 +    return FALSE;
 +}
 -- 
-1.9.1
+2.20.1
 

patches/api-ms-win-Stub_DLLs/0027-uiautomationcore-Add-dll-and-stub-some-functions.patch

@@ -1,4 +1,4 @@
-From 21b4b65eadc9e39008ccadc48307fcfea05a24fb Mon Sep 17 00:00:00 2001
+From 0e65ed108eb8bab24668f9a58c5757a3ad36104f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
 Date: Tue, 12 Apr 2016 01:02:34 +0200
 Subject: [PATCH] uiautomationcore: Add dll and stub some functions.
@@ -9,7 +9,7 @@ Subject: [PATCH] uiautomationcore: Add dll and stub some functions.
  2 files changed, 48 insertions(+), 6 deletions(-)
 
 diff --git a/dlls/uiautomationcore/Makefile.in b/dlls/uiautomationcore/Makefile.in
-index b6edec5f6a9..bf2204d5ab4 100644
+index 5c4acb232a4..412f1dbbe19 100644
 --- a/dlls/uiautomationcore/Makefile.in
 +++ b/dlls/uiautomationcore/Makefile.in
 @@ -1,5 +1,6 @@
@@ -17,10 +17,10 @@ index b6edec5f6a9..bf2204d5ab4 100644
  IMPORTLIB = uiautomationcore
 +IMPORTS   = uuid
  
- EXTRADLLFLAGS = -mno-cygwin
+ EXTRADLLFLAGS = -mno-cygwin -Wb,--prefer-native
  
 diff --git a/dlls/uiautomationcore/uia_main.c b/dlls/uiautomationcore/uia_main.c
-index f0d8247724d..b9c24b4b963 100644
+index 42014af6035..61e165d83c0 100644
 --- a/dlls/uiautomationcore/uia_main.c
 +++ b/dlls/uiautomationcore/uia_main.c
 @@ -1,4 +1,5 @@
@@ -29,7 +29,7 @@ index f0d8247724d..b9c24b4b963 100644
   * Copyright 2017 Jacek Caban for CodeWeavers
   *
   * This library is free software; you can redistribute it and/or
-@@ -16,6 +17,7 @@
+@@ -16,18 +17,58 @@
   * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
   */
  
@@ -37,9 +37,8 @@ index f0d8247724d..b9c24b4b963 100644
  #include "uiautomation.h"
  
  #include "wine/debug.h"
-@@ -37,12 +39,51 @@ BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD fdwReason, void *lpv)
-     return TRUE;
- }
+ 
+ WINE_DEFAULT_DEBUG_CHANNEL(uiautomation);
  
 +static HRESULT WINAPI dummy_QueryInterface(IUnknown *iface, REFIID iid, void **ppv)
 +{
@@ -90,7 +89,7 @@ index f0d8247724d..b9c24b4b963 100644
      return FALSE;
  }
  
-@@ -51,8 +92,8 @@ BOOL WINAPI UiaClientsAreListening(void)
+@@ -36,8 +77,8 @@ BOOL WINAPI UiaClientsAreListening(void)
   */
  HRESULT WINAPI UiaGetReservedMixedAttributeValue(IUnknown **value)
  {
@@ -101,7 +100,7 @@ index f0d8247724d..b9c24b4b963 100644
      return S_OK;
  }
  
-@@ -61,8 +102,8 @@ HRESULT WINAPI UiaGetReservedMixedAttributeValue(IUnknown **value)
+@@ -46,8 +87,8 @@ HRESULT WINAPI UiaGetReservedMixedAttributeValue(IUnknown **value)
   */
  HRESULT WINAPI UiaGetReservedNotSupportedValue(IUnknown **value)
  {
@@ -112,7 +111,7 @@ index f0d8247724d..b9c24b4b963 100644
      return S_OK;
  }
  
-@@ -81,7 +122,7 @@ int WINAPI UiaLookupId(enum AutomationIdentifierType type, const GUID *guid)
+@@ -66,7 +107,7 @@ int WINAPI UiaLookupId(enum AutomationIdentifierType type, const GUID *guid)
  LRESULT WINAPI UiaReturnRawElementProvider(HWND hwnd, WPARAM wParam,
          LPARAM lParam, IRawElementProviderSimple *elprov)
  {
@@ -122,5 +121,5 @@ index f0d8247724d..b9c24b4b963 100644
  }
  
 -- 
-2.17.1
+2.20.1
 

patches/bcrypt-ECDHSecretAgreement/0001-bcrypt-Allow-multiple-backends-to-coexist.patch

@@ -0,0 +1,346 @@
+From 3478a4e41c07a66e7e913c54bcf5ad52e16a8fee Mon Sep 17 00:00:00 2001
+From: Derek Lesho <dlesho@codeweavers.com>
+Date: Fri, 2 Oct 2020 11:29:24 -0500
+Subject: [PATCH] bcrypt: Allow multiple backends to coexist.
+
+Signed-off-by: Derek Lesho <dlesho@codeweavers.com>
+---
+ dlls/bcrypt/Makefile.in       |   3 +-
+ dlls/bcrypt/bcrypt_internal.h |   3 +
+ dlls/bcrypt/gnutls.c          |  32 ++++--
+ dlls/bcrypt/macos.c           |  18 ++-
+ dlls/bcrypt/unixlib.c         | 211 ++++++++++++++++++++++++++++++++++
+ 5 files changed, 252 insertions(+), 15 deletions(-)
+ create mode 100644 dlls/bcrypt/unixlib.c
+
+diff --git a/dlls/bcrypt/Makefile.in b/dlls/bcrypt/Makefile.in
+index 24803fb2d7cb..46a20d473dd7 100644
+--- a/dlls/bcrypt/Makefile.in
++++ b/dlls/bcrypt/Makefile.in
+@@ -11,6 +11,7 @@ C_SRCS = \
+ 	macos.c \
+ 	md2.c \
+ 	sha256.c \
+-	sha512.c
++	sha512.c \
++	unixlib.c
+ 
+ RC_SRCS = version.rc
+diff --git a/dlls/bcrypt/bcrypt_internal.h b/dlls/bcrypt/bcrypt_internal.h
+index eb1361115093..3c7110d05f84 100644
+--- a/dlls/bcrypt/bcrypt_internal.h
++++ b/dlls/bcrypt/bcrypt_internal.h
+@@ -218,4 +218,7 @@ struct key_funcs
+     NTSTATUS (CDECL *key_import_rsa)( struct key *, UCHAR *, ULONG );
+ };
+ 
++struct key_funcs *gnutls_lib_init(DWORD reason);
++struct key_funcs *macos_lib_init(DWORD reason);
++
+ #endif /* __BCRYPT_INTERNAL_H */
+diff --git a/dlls/bcrypt/gnutls.c b/dlls/bcrypt/gnutls.c
+index c065ac31fba3..9490ea8612a8 100644
+--- a/dlls/bcrypt/gnutls.c
++++ b/dlls/bcrypt/gnutls.c
+@@ -371,9 +371,12 @@ fail:
+ 
+ static void gnutls_uninitialize(void)
+ {
+-    pgnutls_global_deinit();
+-    dlclose( libgnutls_handle );
+-    libgnutls_handle = NULL;
++    if (libgnutls_handle)
++    {
++        pgnutls_global_deinit();
++        dlclose( libgnutls_handle );
++        libgnutls_handle = NULL;
++    }
+ }
+ 
+ struct buffer
+@@ -1949,19 +1952,28 @@ static const struct key_funcs key_funcs =
+     key_import_rsa
+ };
+ 
+-NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++struct key_funcs * gnutls_lib_init( DWORD reason )
+ {
+     switch (reason)
+     {
+     case DLL_PROCESS_ATTACH:
+-        if (!gnutls_initialize()) return STATUS_DLL_NOT_FOUND;
+-        *(const struct key_funcs **)ptr_out = &key_funcs;
+-        break;
++        if (!gnutls_initialize()) return NULL;
++        return &key_funcs;
+     case DLL_PROCESS_DETACH:
+         gnutls_uninitialize();
+-        break;
+     }
+-    return STATUS_SUCCESS;
++    return NULL;
+ }
+ 
+-#endif /* HAVE_GNUTLS_CIPHER_INIT */
++#else /* HAVE_GNUTLS_CIPHER_INIT */
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "winternl.h"
++
++struct key_funcs * gnutls_lib_init( DWORD reason )
++{
++    return NULL;
++}
++#endif
+diff --git a/dlls/bcrypt/macos.c b/dlls/bcrypt/macos.c
+index 44906519cef0..2a88aec8362c 100644
+--- a/dlls/bcrypt/macos.c
++++ b/dlls/bcrypt/macos.c
+@@ -302,11 +302,21 @@ static const struct key_funcs key_funcs =
+     key_import_rsa
+ };
+ 
+-NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++struct key_funcs * macos_lib_init( DWORD reason )
+ {
+-    if (reason != DLL_PROCESS_ATTACH) return STATUS_SUCCESS;
+-    *(const struct key_funcs **)ptr_out = &key_funcs;
+-    return STATUS_SUCCESS;
++    if (reason != DLL_PROCESS_ATTACH) return NULL;
++    return &key_funcs;
+ }
+ 
++#else
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "winternl.h"
++
++struct key_funcs * macos_lib_init( DWORD reason )
++{
++    return NULL;
++}
+ #endif
+diff --git a/dlls/bcrypt/unixlib.c b/dlls/bcrypt/unixlib.c
+new file mode 100644
+index 000000000000..9cbb25f5740c
+--- /dev/null
++++ b/dlls/bcrypt/unixlib.c
+@@ -0,0 +1,211 @@
++#if 0
++#pragma makedep unix
++#endif
++
++#include "config.h"
++#include "wine/port.h"
++
++#include <stdarg.h>
++
++#include "ntstatus.h"
++#define WIN32_NO_STATUS
++#include "windef.h"
++#include "winbase.h"
++#include "ntsecapi.h"
++#include "bcrypt.h"
++
++#include "bcrypt_internal.h"
++
++#include "wine/debug.h"
++#include "wine/unicode.h"
++
++#if defined(HAVE_COMMONCRYPTO_COMMONCRYPTOR_H) && MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 || defined(HAVE_GNUTLS_CIPHER_INIT)
++WINE_DEFAULT_DEBUG_CHANNEL(bcrypt);
++
++static NTSTATUS CDECL key_set_property( struct key *key, const WCHAR *prop, UCHAR *value, ULONG size, ULONG flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_init( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_symmetric_vector_reset( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static NTSTATUS CDECL key_symmetric_set_auth_data( struct key *key, UCHAR *auth_data, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_encrypt( struct key *key, const UCHAR *input, ULONG input_len, UCHAR *output, ULONG output_len  )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_decrypt( struct key *key, const UCHAR *input, ULONG input_len, UCHAR *output, ULONG output_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_symmetric_get_tag( struct key *key, UCHAR *tag, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_symmetric_destroy( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static NTSTATUS CDECL key_asymmetric_init( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_sign( struct key *key, void *padding, UCHAR *input, ULONG input_len, UCHAR *output,
++                                           ULONG output_len, ULONG *ret_len, ULONG flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_verify( struct key *key, void *padding, UCHAR *hash, ULONG hash_len,
++                                             UCHAR *signature, ULONG signature_len, DWORD flags )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_export_dsa_capi( struct key *key, UCHAR *buf, ULONG len, ULONG *ret_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_export_ecc( struct key *key, UCHAR *output, ULONG len, ULONG *ret_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_import_dsa_capi( struct key *key, UCHAR *buf, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_import_ecc( struct key *key, UCHAR *input, ULONG len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_generate( struct key *key )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_asymmetric_duplicate( struct key *key_orig, struct key *key_copy )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static void CDECL key_asymmetric_destroy( struct key *key )
++{
++    FIXME( "not implemented\n" );
++}
++
++static NTSTATUS CDECL key_asymmetric_decrypt( struct key *key, UCHAR *input, ULONG input_len,
++        UCHAR *output, ULONG *output_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static NTSTATUS CDECL key_import_rsa( struct key *key, UCHAR *input, ULONG input_len )
++{
++    FIXME( "not implemented\n" );
++    return STATUS_NOT_IMPLEMENTED;
++}
++
++static struct key_funcs key_funcs =
++{
++    key_set_property,
++    key_symmetric_init,
++    key_symmetric_vector_reset,
++    key_symmetric_set_auth_data,
++    key_symmetric_encrypt,
++    key_symmetric_decrypt,
++    key_symmetric_get_tag,
++    key_symmetric_destroy,
++    key_asymmetric_init,
++    key_asymmetric_generate,
++    key_asymmetric_decrypt,
++    key_asymmetric_duplicate,
++    key_asymmetric_sign,
++    key_asymmetric_verify,
++    key_asymmetric_destroy,
++    key_export_dsa_capi,
++    key_export_ecc,
++    key_import_dsa_capi,
++    key_import_ecc,
++    key_import_rsa,
++};
++
++NTSTATUS CDECL __wine_init_unix_lib( HMODULE module, DWORD reason, const void *ptr_in, void *ptr_out )
++{
++    struct key_funcs *gnutls_funcs = gnutls_lib_init(reason);
++    struct key_funcs *macos_funcs = macos_lib_init(reason);
++
++    if (reason == DLL_PROCESS_ATTACH)
++    {
++#define RESOLVE_FUNC(name) \
++        if (macos_funcs && macos_funcs->key_##name) \
++            key_funcs.key_##name = macos_funcs->key_##name; \
++        if (gnutls_funcs && gnutls_funcs->key_##name) \
++            key_funcs.key_##name = gnutls_funcs->key_##name;
++
++        RESOLVE_FUNC(set_property)
++        RESOLVE_FUNC(symmetric_init)
++        RESOLVE_FUNC(symmetric_vector_reset)
++        RESOLVE_FUNC(symmetric_set_auth_data)
++        RESOLVE_FUNC(symmetric_encrypt)
++        RESOLVE_FUNC(symmetric_decrypt)
++        RESOLVE_FUNC(symmetric_get_tag)
++        RESOLVE_FUNC(symmetric_destroy)
++        RESOLVE_FUNC(asymmetric_init)
++        RESOLVE_FUNC(asymmetric_generate)
++        RESOLVE_FUNC(asymmetric_decrypt)
++        RESOLVE_FUNC(asymmetric_duplicate)
++        RESOLVE_FUNC(asymmetric_sign)
++        RESOLVE_FUNC(asymmetric_verify)
++        RESOLVE_FUNC(asymmetric_destroy)
++        RESOLVE_FUNC(export_dsa_capi)
++        RESOLVE_FUNC(export_ecc)
++        RESOLVE_FUNC(import_dsa_capi)
++        RESOLVE_FUNC(import_ecc)
++        RESOLVE_FUNC(import_rsa)
++
++#undef RESOLVE_FUNC
++
++        *(struct key_funcs **)ptr_out = &key_funcs;
++    }
++
++    return STATUS_SUCCESS;
++}
++
++#endif
+-- 
+2.29.2
+