Re: crypto api in ISAPI extension

From: John Yule (anonymous_at_discussions.microsoft.com)
Date: 12/08/03

Next message: Steven: "RE: GINA remote debugging"
Previous message: Sergio Dutra [MS]: "Re: Why no CALG_MD4?"
In reply to: Vishal Agarwal[MSFT]: "Re: crypto api in ISAPI extension"
Next in thread: John Banes [MS]: "Re: crypto api in ISAPI extension"
Reply: John Banes [MS]: "Re: crypto api in ISAPI extension"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 8 Dec 2003 12:57:38 -0800

Vishal - the error is definitly 8009001 "Bad UID". It is
a confusing error because the CryptAcquireContext seems
to return a valid handle, but fails when used in
CryptDeriveKey or CryptReleaseContext. As I stated
below, it actually works on several calls within the same
procedure for various data packets but will fail all of a
sudden (on 2 client servers - works as expected on many
other servers).

Thanks!

>-----Original Message-----
>Are you sure its "Bad UID"?
>
>IS the error code 8009001 or 80090010 ?
>
>if it's 80090010, the error message text is "Access
denied"?
>
>Thanks,
>Vishal
>
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights
>"John Yule" <anonymous@discussions.microsoft.com> wrote
in message
>news:018e01c3bb5c$8023c8c0$a301280a@phx.gbl...
>> I have an ISAPI extension which uses the crypto api to
>> decrypt data sent from a client. It works flawlessly
on
>> all of our (5) test servers and also at a couple of
>> clients.
>>
>> However, on a specific client's (2) servers I get the
>> following error thrown by CryptDeriveKey():
x8009001 'Bad
>> UID'. This is after the CryptAcquireContext()
>> successfully returns a seemingly valid UID (code
below).
>> A call to CryptReleaseContext() with the same handle
gets
>> the same error. So it looks like the handle returned
by
>> CryptAcquireContext() is bad even though it indicates
>> success.
>>
>> The frustrating thing is that it goes through several
>> similar decryptions (in the same process request)
>> successfully prior to failing. In some cases
restarting
>> IIS causes it to work the 1st time but fail on all
>> subsequent requests.
>>
>> The code is pretty much straight out of msdn samples:
>> ===================
>> BOOL CPhynityCrypto::CryptoDecrypt(CString csPassword,
>> void* pvBuff,
>> ULONG* ulBuffSize,
>> CString* csErrMsg)
>> {
>> LPTSTR lpWork=NULL;
>> BOOL bStatus=false;
>> HCRYPTPROV hCryptProv=NULL;
>> HCRYPTHASH = lHHash=NULL;
>> HCRYPTKEY = lHkey=NULL;
>>
>> // Get handle to the default CSP.
>> CString csProvider(MS_DEF_PROV);
>> if (!CryptAcquireContext(&hCryptProv, NULL, csProvider,
>> PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
>> {
>> csErrMsg->Format(_T("Error %x during
>> CryptAcquireContext!\n\n%s"),GetLastError
>> (),CPhynityCommonServices::GetLastErrorString());
>> goto EXIT;
>> }
>>
>> // Create a hash object
>> if (!CryptCreateHash(hCryptProv, CALG_MD5, 0, 0,
>> &lHHash))
>> {
>> csErrMsg->Format(_T("Error %x during
>> CryptCreateHash!\n\n%s"),GetLastError
>> (),CPhynityCommonServices::GetLastErrorString());
>> goto EXIT;
>> }
>>
>> // Hash in the password text
>> lpWork=csPassword.LockBuffer();
>> if (!CryptHashData(lHHash, (BYTE*)lpWork,
>> csPassword.GetLength(), 0))
>> {
>> csErrMsg->Format(_T("Error %x during
>> CryptHashData!\n\n%s"),GetLastError
>> (),CPhynityCommonServices::GetLastErrorString());
>> csPassword.UnlockBuffer();
>> goto EXIT;
>> }
>> csPassword.UnlockBuffer();
>>
>> // Create a session key from the hash object
>> if (!CryptDeriveKey(hCryptProv, CALG_RC4, lHHash, 0,
>> &lHkey))
>> {
>> csErrMsg->Format(_T("Error %x during
>> CryptDeriveKey!\n\n%s"),GetLastError
>> (),CPhynityCommonServices::GetLastErrorString());
>> goto EXIT;
>> }
>>
>> // Destroy the hash object.
>> CryptDestroyHash(lHHash);
>> lHHash = 0;
>>
>> // Decrypt data
>> if (!CryptDecrypt(lHkey, 0, true, 0, (BYTE*)pvBuff,
>> ulBuffSize))
>> {
>> csErrMsg->Format(_T("Error %x during CryptDecrypt!
>> \n\n%s"),GetLastError
>> (),CPhynityCommonServices::GetLastErrorString());
>> goto EXIT;
>> }
>>
>> // success
>> bStatus=true;
>>
>> EXIT:
>> if (lHkey!=NULL)
>> CryptDestroyKey(lHkey);
>> if (lHHash!=NULL)
>> CryptDestroyHash(lHHash);
>> if (hCryptProv!=NULL)
>> CryptReleaseContext(hCryptProv, 0);
>> return(bStatus);
>> }
>>
>>
>
>
>.
>

Next message: Steven: "RE: GINA remote debugging"
Previous message: Sergio Dutra [MS]: "Re: Why no CALG_MD4?"
In reply to: Vishal Agarwal[MSFT]: "Re: crypto api in ISAPI extension"
Next in thread: John Banes [MS]: "Re: crypto api in ISAPI extension"
Reply: John Banes [MS]: "Re: crypto api in ISAPI extension"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [PATCH] set*uid() must not fail-and-return on OOM/rlimits
... The setuidfunction shall fail, return -1, and set errno to the ... The value of the uid argument is invalid and not supported by ... The kill has the advantage that it stops the situation but it may also ... That way programs that ignore the return value will at least no longer have root privileges. ...
(Linux-Kernel)
Re: INNOVATION DATA PROCESSING ANNOUNCEMENTS - August 15, 2005
... Does the OMVS segment for a default UID prevent this, or does it have to be in the application's actual profile? ... should be pretty obvious - that TCP/IP stuff would fail. ... For IBM-MAIN subscribe / signoff / archive access instructions, send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html. ...
(bit.listserv.ibm-main)
Re: Broadband internet connection
... connection with the same UID and password - again it fails because of UID ... Pasting user ID's and passwords can sometimes fail. ... box, login would fail. ...
(microsoft.public.windowsxp.network_web)