|
Posted by amit on December 22, 2005, 4:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
I'm using Microsoft=AE Platform SDK 2003 and my client program is
using SSPI calls. I'm able to get 4 octet string token from TGT server
just before the final step of handshaking mechanism in SASL connection.
i=2Ee. my final step of three way handshaking is broken in the final step
where i'm calling EncryptMessage(..) [enquivant to gss_wrap( .. ) in
GSSAPI]. It is returning some garbage value (-122346..34) instead of
SEC_E_OK;
-------------------------------------
SAME WAY I'VE TRIED THE HANDSHAKING MECHANISM USING GSSAPI CALLS AND
.=2E...EVERYTHING IS WORKING FINE...
WHILE USING SSPI CALLS.....I'M GETTING PROBLEMS...............!!
Here is code snippet ----
--------- this step succeeded
err =3D pSecurityInterface->InitializeSecurityContext ( &hcredClient,
pClientCtxHandleIn,
TEXT("LDAP/ps2345.intranet.xyz.com@INTRANET.XYZ.COM"),
grfRequiredCtxAttrsClient, 0, SECURITY_NATIVE_DREP, pClientInput, 0,
pClientCtxHandleOut, pClientOutput, &grfCtxAttrsClient,
&expiryClientCtx);
cbv.bv_len =3D pClientOutput->pBuffers[0].cbBuffer;
cbv.bv_val =3D (char*)pClientOutput->pBuffers[0].pvBuffer;
// successful call verified.....
retval =3D ldap_sasl_bind_s(ld, NULL, "GSSAPI", &cbv, NULL, NULL,
&sbv);
if ((retval =3D=3D LDAP_SASL_BIND_IN_PROGRESS || retval =3D=3D LDAP_SUCCE=
SS))
{
cbv.bv_len =3D 0;
cbv.bv_val =3D NULL;
if (sbv) {
ber_bvfree(sbv);
sbv =3D NULL;
}
//replying the challenge will NULL value
retval =3D ldap_sasl_bind_s(ld, NULL, "GSSAPI", &cbv, NULL,
NULL, &sbv);
if((retval =3D=3D LDAP_SASL_BIND_IN_PROGRESS || retval =3D=3D LDAP_SUCCES=
S))
{
inSecBufDesc.ulVersion =3D SECBUFFER_VERSION;
inSecBufDesc.cBuffers =3D 2;
inSecBufDesc.pBuffers =3D &inSecBuf[0];
inSecBuf[0].BufferType =3D SECBUFFER_STREAM;
inSecBuf[0].cbBuffer =3D sbv->bv_len;
inSecBuf[0].pvBuffer =3D sbv->bv_val;
inSecBuf[1].BufferType =3D SECBUFFER_DATA;
inSecBuf[1].cbBuffer =3D 0;
inSecBuf[1].pvBuffer =3D NULL;
ULONG mylongVal=3D0;
//Decrypting the Response.
err =3D pSecurityInterface->DecryptMessage(pClientCtxHandleIn,
&inSecBufDesc,
0,&mylongVal);
-------------- till here everything is successful....verified with
corresponding GSSPI call ...the (inSecBufDesc).pBuffers[1] contains the
4 byte octet string....Now according to rfc2222.txt, final step
required to wrap the data (EncryptMeassage call) in this case and use
final ldap_sasl_bind_s call
err =3D pSecurityInterface->QueryContextAttributes(
pClientCtxHandleIn, SECPKG_ATTR_SIZES, &sizes);
// password length is
passWd_Len =3D strlen("myuserid@INTRANET.XYZ.COM") + 4;
//setting the first byte of octet to 1
ptr =3D (unsigned char *)inSecBufDesc.pBuffers[1].pvBuffer;
maxsz =3D (ptr[1]<<16) | (ptr[2]<<8)| (ptr[3]);
ptr =3D (unsigned char *) malloc(passWd_Len);
ptr[0]=3D 1;
ptr[1]=3D maxsz>>16;
ptr[2]=3D maxsz>>8;
ptr[3]=3D maxsz;
sprintf((char *)&ptr[4], "%s", "myuserid@INTRANET.XYZ.COM");
---------------------------till here everything is ok....SAME AS DONE
WITH GSSAPI CALLS AND IS SUCCEEDED ...EVERYTHING IS FINE TILL HERE. NOW
THE JOB IS TO ENCRYPT AND SEND IT TO THE SERVER IN FINAL
CALL.-------------
--------------------Problem lies in next part of the code
---------------------
// Need three descriptors, two for the SSP and one to hold the
//application data.
inSecBufDescSecond.ulVersion =3D SECBUFFER_VERSION;
inSecBufDescSecond.cBuffers =3D 3;
inSecBufDescSecond.pBuffers =3D &inSecBufSec[0];
inSecBufSec[0].BufferType =3D SECBUFFER_TOKEN;
inSecBufSec[0].cbBuffer =3D sizes.cbSecurityTrailer;
inSecBufSec[0].pvBuffer =3D malloc(sizes.cbSecurityTrailer);
// This buffer holds the application data.
inSecBufSec[1].BufferType =3D SECBUFFER_DATA;
inSecBufSec[1].cbBuffer =3D passWd_Len;
inSecBufSec[1].pvBuffer =3D malloc(inSecBufSec[1].cbBuffer);
memcpy(inSecBufSec[1].pvBuffer, ptr, passWd_Len );
inSecBufSec[2].BufferType =3D SECBUFFER_PADDING;
inSecBufSec[2].cbBuffer =3D sizes.cbBlockSize;
inSecBufSec[2].pvBuffer =3D malloc(inSecBufSec[2].cbBuffer);
err =3D pSecurityInterface->EncryptMessage(pClientCtxHandleIn, ( 0 /
SECQOP_WRAP_NO_ENCRYPT ) ,&inSecBufDescSecond, 0);
----> if i keep second argument as SECQOP_WRAP_NO_ENCRYPT ....the call
returns SEC_E_OK , butinSecBufDescSecond.pBuffers[1] does not contains
the expected data. On the other hand keeping second argument
0=2E..returns error(-2146893054)
Let me know...where is the problem ??
Amit
|
|
Posted by amit on December 22, 2005, 7:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
into ldap environment.
|
| Similar Threads | Posted | | Looking for a good step-by-step on enabling EFS on all computers in a Windows domain | August 12, 2006, 9:00 pm |
| Encrypting VBA code behind Excel File | August 6, 2007, 12:10 pm |
| Offline Root CA: Easy question on step 'Specify CRL distribution points' (newbie, please help) | January 23, 2007, 5:51 pm |
| Securing or encrypting local ethernet? (howto) | December 16, 2005, 5:59 am |
| IE7 final and SpySweeper Ver 5.2.3 build 2120 | October 28, 2006, 10:27 am |
| Re: what does the "Microsoft data access" "remote data services" add-in do? | October 18, 2007, 3:17 am |
| what does the "Microsoft data access" "remote data services" add-in do? | October 17, 2007, 5:40 am |
| portably encrypting a file system's partition, directory and/or file | November 25, 2005, 3:30 pm |
| "include in CDP" extention error - Reproducible error: | March 4, 2008, 9:42 pm |
| RE: Data decryption EFS | June 17, 2005, 7:42 am |
|
XML site map