Jon G
2004-02-02 15:56:11 UTC
I am writing a client application using CryptoAPI/SChannel to connect to the server over TLS/SSL. After the handshake completes, a few Receive/Decrypt and Encrypt/Send cycles go by without incident. On the third or fourth Receive/Decrypt, I get a return code of SEC_E_MESSAGE_ALTERED from DecryptMessage.
Then I noticed the following in the Platform SDK documentation:
'When using the Schannel SSP in "streaming" mode, that is, when the ISC_REQ_STREAM or ASC_REQ_STREAM flag was specified during the handshake, EncryptMessage or DecryptMessage cannot be called at the same time from multiple threads unless each thread has its own SSPI context because each encryption or decryption operation changes the internal state of the encryption key. If the encryption key states are not synchronized on the client and server, the decryption operation fails.'
My application does use separate send and receive threads in "streaming" mode, so I decided to give each thread it's own SSPI context using ExportSecurityContext and ImportSecurityContext to "copy" the single CtxtHandle that I was using before. (I'm not sure the CtxtHandle is even what the documentation is referring to by "SSPI context.") I ended up getting the same error at the same time. So I have a few questions...
1) Is this the proper way of giving each thread its own SSPI context the way I described above? If not, what is?
2) Why am I getting the SEC_E_MESSAGE_ALTERED error?
3) Do the above questions have anything to do with one another?
Any help is appreciated.
Then I noticed the following in the Platform SDK documentation:
'When using the Schannel SSP in "streaming" mode, that is, when the ISC_REQ_STREAM or ASC_REQ_STREAM flag was specified during the handshake, EncryptMessage or DecryptMessage cannot be called at the same time from multiple threads unless each thread has its own SSPI context because each encryption or decryption operation changes the internal state of the encryption key. If the encryption key states are not synchronized on the client and server, the decryption operation fails.'
My application does use separate send and receive threads in "streaming" mode, so I decided to give each thread it's own SSPI context using ExportSecurityContext and ImportSecurityContext to "copy" the single CtxtHandle that I was using before. (I'm not sure the CtxtHandle is even what the documentation is referring to by "SSPI context.") I ended up getting the same error at the same time. So I have a few questions...
1) Is this the proper way of giving each thread its own SSPI context the way I described above? If not, what is?
2) Why am I getting the SEC_E_MESSAGE_ALTERED error?
3) Do the above questions have anything to do with one another?
Any help is appreciated.