Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?
From: John Banes (jabanes_at_comcast.remove.net)
Date: 11/15/05
- Next message: Jeffrey Tan[MSFT]: "Re: Diff b/w LUID and SID"
- Previous message: sunit: "Re: Diff b/w LUID and SID"
- In reply to: Tony: "AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Next in thread: Tony: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Reply: Tony: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Nov 2005 22:46:57 -0800
You can query the SSPI package info to get the maximum buffer size you
should be using. In the case of schannel this is something perilously close
to 16kb. If the incoming packet exceeds this size then you should feel free
to error out and drop the connection.
I'm guessing that this is your first call to ASC, and so the data in the
input buffer is being interpreted as an SSL ClientHello message. Schannel
will parse this data and attempt to figure out the protocol (SSL2, SSL3, or
TLS) and the packet size. I suspect that it doesn't do any further
processing until the entire packet has been received. In the case of random
data, this data is probably being interpreted as an SSL2 ClientHello
message. This type of message doesn't have much structure, and so schannel
is probably parsing out some huge number as the packet size, hence the
incomplete message errors.
Be sure to look at the webclient and webserver samples in the platform sdk.
I don't want to name names, but the guy that wrote these programs wasn't
completely clueless...
Regards,
John
"Tony" <tony@somewhere.com> wrote in message
news:O5sUiQU6FHA.3416@TK2MSFTNGP15.phx.gbl...
> Hi all,
>
> I am writing an application that accepts SSL connections over a socket.
> In testing my application against incorrect data, I have written a test
> app that connects to my socket and then throws random data at it.
>
> During the handshaking operation, I was expecting the
> AcceptSecurityContext call to tell me the data is bad... but instead I
> always get the SEC_E_INCOMPLETE_MESSAGE response. Collecting more data
> and making the call always produces the same results. Consequently, I
> never resolve the handshaking operation to have failed, and endlessly
> collect data.
>
> I was wondering if anyone had any thoughts as to what the correct
> procedure is to detecting this type of situation?
>
> Regards,
>
> Anthony
>
- Next message: Jeffrey Tan[MSFT]: "Re: Diff b/w LUID and SID"
- Previous message: sunit: "Re: Diff b/w LUID and SID"
- In reply to: Tony: "AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Next in thread: Tony: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Reply: Tony: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
