Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?

From: John Banes (jabanes_at_comcast.remove.net)
Date: 11/15/05

  • Next message: Alun Jones: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?" 
    Date: Tue, 15 Nov 2005 14:31:13 -0800

    I was suggesting that you look at the webclient and webserver programs for
    general guidelines on programming SSPI/SSL--just to make sure that you were
    aware of their existence. I didn't mean to suggest that it handled this
    particular situation correctly! It's probably been several years since I've
    looked at the public versions of these samples and so I wasn't sure how they
    handled this case.

    I don't see anything wrong with your analysis. :-)

    "Tony" <tony@somewhere.com> wrote in message
    news:O28hn6f6FHA.3636@TK2MSFTNGP09.phx.gbl...
    > Hi John,
    >
    > Thanks for the reply. You are correct, these are my first calls to ASC so
    > it definately has to do with interpretting an SSL ClientHello message.
    >
    > I have been looking at the web server sample application hoping for an
    > answer to my question. However, in the SSPINegotiateLoop call, it appears
    > to me that the application is plagued with the same problem I am having
    > (it actually seems worse since I believe there is a buffer overflow
    > problem during the handshaking).
    >
    > In SSPINegotiateLoop, the ASC call is effectively in a loop where first
    > data is read in, and then ASC is called. This happens as long as
    > SEC_E_INCOMPLETE_MESSAGE is returned (or others, but that error code is
    > the one I am interested in). Now, during the recv call for data we have:
    >
    > err = recv(Socket, IoBuffer+cbIoBuffer,IO_BUFFER_SIZE, 0);
    >
    > where IoBuffer is BYTE IoBuffer[IO_BUFFER_SIZE]. Note the problem? There
    > is a request for always IO_BUFFER_SIZE of bytes, but the passed in buffer
    > is continually shrinking by cbIoBuffer. I think the correct code should
    > be:
    >
    > err = recv(Socket, IoBuffer+cbIoBuffer,IO_BUFFER_SIZE-cbIoBuffer, 0);
    >
    > Hence, I suspect the web server would then abort the handshaking operation
    > worst-case after it receives IO_BUFFER_SIZE (which is 64k). That seems
    > like an awefully large amount of data to collect before deciding to abort
    > on the ClientHello message.
    >
    > Could I be mistaken?
    >
    > Regards,
    >
    > Anthony
    >
    >
    >
    > "John Banes" <jabanes@comcast.remove.net> wrote in message
    > news:uObQeBb6FHA.252@TK2MSFTNGP15.phx.gbl...
    >> You can query the SSPI package info to get the maximum buffer size you
    >> should be using. In the case of schannel this is something perilously
    >> close to 16kb. If the incoming packet exceeds this size then you should
    >> feel free to error out and drop the connection.
    >>
    >> I'm guessing that this is your first call to ASC, and so the data in the
    >> input buffer is being interpreted as an SSL ClientHello message. Schannel
    >> will parse this data and attempt to figure out the protocol (SSL2, SSL3,
    >> or TLS) and the packet size. I suspect that it doesn't do any further
    >> processing until the entire packet has been received. In the case of
    >> random data, this data is probably being interpreted as an SSL2
    >> ClientHello message. This type of message doesn't have much structure,
    >> and so schannel is probably parsing out some huge number as the packet
    >> size, hence the incomplete message errors.
    >>
    >> Be sure to look at the webclient and webserver samples in the platform
    >> sdk. I don't want to name names, but the guy that wrote these programs
    >> wasn't completely clueless...
    >>
    >> Regards,
    >> John
    >>
    >>
    >> "Tony" <tony@somewhere.com> wrote in message
    >> news:O5sUiQU6FHA.3416@TK2MSFTNGP15.phx.gbl...
    >>> Hi all,
    >>>
    >>> I am writing an application that accepts SSL connections over a socket.
    >>> In testing my application against incorrect data, I have written a test
    >>> app that connects to my socket and then throws random data at it.
    >>>
    >>> During the handshaking operation, I was expecting the
    >>> AcceptSecurityContext call to tell me the data is bad... but instead I
    >>> always get the SEC_E_INCOMPLETE_MESSAGE response. Collecting more data
    >>> and making the call always produces the same results. Consequently, I
    >>> never resolve the handshaking operation to have failed, and endlessly
    >>> collect data.
    >>>
    >>> I was wondering if anyone had any thoughts as to what the correct
    >>> procedure is to detecting this type of situation?
    >>>
    >>> Regards,
    >>>
    >>> Anthony
    >>>
    >>
    >>
    >
    >

  • Next message: Alun Jones: "Re: AcceptSecurityContext with invalid data returns SEC_E_INCOMPLETE_MESSAGE?"