4

I have to implement an TLS handshake process using the SSPI interface.
My app implements the client side, and as I saw from here the general flow is:

  1. InitializeSecurityContext - first call return a pointer to a SecBufferDesc structure.
  2. Call to send( =WinSock API) function with the output buffers.
  3. Call to recv function
  4. Call to InitializeSecurityContext again with the buffers.

The MSDN explanation about these buffers:

"On calls to this function after the initial call, there must be two buffers. The first has type SECBUFFER_TOKEN and contains the token received from the server. The second buffer has type SECBUFFER_EMPTY; set both the pvBuffer and cbBuffer members to zero."

My questions:

  1. I need some more explanation: what is the meaning of the buffers? what does the second buffer contain? what are they for?
  2. In the MSDN is written that the TargetDataRep input parameter of InitializeSecurityContext function is nut used for Schannel, but many samples that I saw set it to SECURITY_NATIVE_DREP. what is SECURITY_NATIVE_DREP flag? why does the MSDN say to set it to zero?

I will realy appreciate any help.
Thanks!.

RRR
  • 3,937
  • 13
  • 51
  • 75

1 Answers1

3

1. SChannel gives you a layer of abstraction to be able to transfer data buffers over secure channels. The API is designed in the way that when you send a piece of data, you supply two data buffers - the actual data (payload) and the second buffer which holds secure channel token/context. It is assumed that you will be attaching this buffer to every payload buffer you are pushing through, e.g. because the API is not designed keep and manage this data internally e.g. with a handle.

2. InitializeSecurityContext applies not only to SChannel package, in other scenarios this parameter is used and perhaps sample code you had a chance to see what related to a different package, or copied from there or applies to both.

Roman R.
  • 68,205
  • 6
  • 94
  • 158
  • thank you!. 1. can you please give me an example to the content of these buffers during the handshake loop? (example to what the contents at some point in the process will be great). 2. In [this](http://msdn.microsoft.com/en-us/library/aa918273.aspx) MSDN SSPI(Schannel) code sample, the SECURITY_NATIVE_DREP is set. is it mistake? (You'll find this by a quick search of SECURITY_NATIVE_DREP flag in this site) – RRR Apr 04 '12 at 06:55
  • 1 - On the first `InitializeSecurityContext` call you provide an output empty `SECBUFFER_TOKEN` buffer to hold the token. Having `SEC_I_CONTINUE_NEEDED` received, you send the data you have in token output buffer to the remote party, you receive data back in response and make another `InitializeSecurityContext` call providing input `SECBUFFER_TOKEN` buffer with received data. If you get `SEC_I_CONTINUE_NEEDED` result once again, you repeat the whole thing - you send token data to remote party, receive response and again you feed it into SChannel API to continue initialization. – Roman R. Apr 04 '12 at 07:01
  • 2 - I am not sure whether `SECURITY_NATIVE_DREP` is a mistake or not. It looks like this flag is not required, and API ignores it. I would stick to the documentation and remove it from real code. – Roman R. Apr 04 '12 at 07:03