You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to support RPC message encryption and signing, the EncryptMessage and DecryptMessage needs to support security buffers marked as SECBUFFER_READONLY_WITH_CHECKSUM. This flag indicates the bytes in that buffer are not part of the encrypted payload but are included in the header signature. For example here is what the SSPI calls look like by the RPC client there:
Contains the RPC PDU security trailer bytes which are integrity protected by the resulting signature
[3] - SECBUFFER_TOKEN
Buffer containing the resulting signature
[4] - SECBUFFER_PKG_PARAMS | SECBUFFER_READONLY
Unsure but certainly not needed/included in the resulting header token
The corresponding DecryptMessage uses the same buffers and the input data for the buffers flagged with SECBUFFER_READONLY_WITH_CHECKSUM are used when verifying the input signature.
The text was updated successfully, but these errors were encountered:
When testing this a bit further it seems like support for just SECBUFFER_READONLY might also be missing. This would be required if using DCE encryption without signed header as well. The same SSPI buffers are used but instead of SECBUFFER_READONLY_WITH_CHECKSUM they are SECBUFFER_READONLY.
In order to support RPC message encryption and signing, the
EncryptMessage
andDecryptMessage
needs to support security buffers marked asSECBUFFER_READONLY_WITH_CHECKSUM
. This flag indicates the bytes in that buffer are not part of the encrypted payload but are included in the header signature. For example here is what the SSPI calls look like by the RPC client there:It uses 5 buffers
SECBUFFER_DATA | SECBUFFER_READONLY_WITH_CHECKSUM
SECBUFFER_DATA
SECBUFFER_DATA | SECBUFFER_READONLY_WITH_CHECKSUM
SECBUFFER_TOKEN
SECBUFFER_PKG_PARAMS | SECBUFFER_READONLY
The corresponding
DecryptMessage
uses the same buffers and the input data for the buffers flagged withSECBUFFER_READONLY_WITH_CHECKSUM
are used when verifying the input signature.The text was updated successfully, but these errors were encountered: