PRB: Obtaining Maximum Buffer Size for SSL Encryption Operations (262403)

SYMPTOMS

When you use the Security Support Provider Interface (SSPI) to perform Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption you can determine the encryption buffer size by using QueryContextAttributes. Use of the cbMaximumMessage value from the SecPkgContext_StreamSizes structure of QueryContextAttributes for specifying the message buffer size to the EncryptMessage or DecryptMessage API might cause the API to fail, with the following error message, on some platforms:

0x80090304 - SEC_E_INTERNAL_ERROR

RESOLUTION

To specify a maximum size that is safe in all cases, use the cbMaximumMessage from QueryContextAttributes: (header + trailer).

The following code snippet demonstrates how to set up the security buffers for a call to the EncryptMessage function, with a modified maximum message size.

scRet = QueryContextAttributes(&hContext, SECPKG_ATTR_STREAM_SIZES, &Sizes);

pMsgBuf = (SecPkgContext_StreamSizes*)LocalAlloc(0,Sizes.cbMaximumMessage);
cbMsgBuf = Sizes.cbMaximumMessage - (Sizes.cbHeader + Sizes.cbTrailer);

Buffers[0].pvBuffer = pMsgBuf;
Buffers[0].cbBuffer = Sizes.cbHeader;
Buffers[0].BufferType = SECBUFFER_STREAM_HEADER;

Buffers[1].pvBuffer = pMsgBuf + Sizes.cbHeader;
Buffers[1].cbBuffer = cbMsgBuf;
Buffers[1].BufferType = SECBUFFER_DATA;

Buffers[2].pvBuffer = pMsgBuf + Sizes.cbHeader + cbMsgBuf;
Buffers[2].cbBuffer = Sizes.cbTrailer;
Buffers[2].BufferType = SECBUFFER_STREAM_TRAILER;

Buffers[3].BufferType = SECBUFFER_EMPTY;

scRet = EncryptMessage(&hContext,
                       0,
                       &Message,
                       0);

PRB: Obtaining Maximum Buffer Size for SSL Encryption Operations (262403)

SYMPTOMS

CAUSE

RESOLUTION