Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SECBUFFER_STREAM, SECBUFFER_DATA on DecryptMessage #84

Closed
jborean93 opened this issue Nov 21, 2022 · 3 comments · Fixed by #182
Closed

Support SECBUFFER_STREAM, SECBUFFER_DATA on DecryptMessage #84

jborean93 opened this issue Nov 21, 2022 · 3 comments · Fixed by #182
Assignees
@RRRadicalEdward
Milestone
2023-Feb

Comments

@jborean93
Copy link

jborean93 commented Nov 21, 2022
edited
Loading

The SSPI documentation for interop with GSSAPI uses the following example for decryption when dealing with gss_wrap

wrap_buf_desc.cBuffers = 2;
wrap_buf_desc.pBuffers = wrap_bufs;
wrap_buf_desc.ulVersion = SECBUFFER_VERSION; 

// This buffer is for SSPI.
wrap_bufs[0].BufferType = SECBUFFER_STREAM;
wrap_bufs[0].pvBuffer = xmit_buf.pvBuffer;
wrap_bufs[0].cbBuffer = xmit_buf.cbBuffer;

// This buffer holds the application data.
wrap_bufs[1].BufferType = SECBUFFER_DATA;
wrap_bufs[1].cbBuffer = 0;
wrap_bufs[1].pvBuffer = NULL;
maj_stat = DecryptMessage(
&context,
&wrap_buf_desc,
0, // no sequence number
&qop
);

// This is where the data is.
msg_buf = wrap_bufs[1];

There are 2 buffers used in this example

  • SECBUFFER_STREAM - the encrypted bytes to decrypt
  • SECBUFFER_DATA - empty buffer

During the decryption process SSPI will decrypt the stream contents in place and set the pvBuffer and cbBuffer to the location and length of the decrypted payload on return.

Right now DecryptMessage expects the SECBUFFER_TOKEN and SECBUFFER_DATA buffers to be used where the token is the encrypted message to decrypt and SECBUFFER_DATA is the "header" associated with that data. This is fine if you know the sizes of the header but in my case I do not and SECBUFFER_STREAM is needed.
@RRRadicalEdward RRRadicalEdward mentioned this issue Feb 9, 2023
Merged
@CBenoit
Copy link
Member

CBenoit commented Feb 9, 2023

Addressed by #100

@CBenoit CBenoit closed this as completed Feb 9, 2023
@dbl-cross dbl-cross added this to the 2023-Feb milestone Feb 15, 2023
@jborean93
Copy link
Author

Looks like PR #100 only implemented it for Kerberos and PKU2U. Would we be able to re-open this issue until support for this with NTLM is also in place?

@CBenoit
Copy link
Member

CBenoit commented Sep 20, 2023

Oh! Sure. cc @awakecoding @RRRadicalEdward

@CBenoit CBenoit reopened this Sep 20, 2023
@pauldumais pauldumais linked a pull request Oct 26, 2023 that will close this issue
Ntlm fixes for disabled sealing and signing #182
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RRRadicalEdward RRRadicalEdward

Labels
None yet
Milestone
2023-Feb
Development

Successfully merging a pull request may close this issue.

Ntlm fixes for disabled sealing and signing Devolutions/sspi-rs
4 participants
@CBenoit @jborean93 @RRRadicalEdward @dbl-cross