问题描述

我正在尝试使用 BCryptEncrypt 对某些 AAD 进行身份验证，但该函数因 STATUS_INVALID_PARAMETER 而失败.BCryptEncrypt 需要 10 个参数.参数之一是BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO 需要另外 13 个参数.

运行我的测试程序导致:

>.\bcrypt-gmac.exeBCryptEncrypt 错误，0xc000000d (STATUS_INVALID_PARAMETER)

STATUS_INVALID_PARAMETER 在这种情况下不是很有帮助.

我的问题是，在使用 Bcrypt 时，如何确定 23 个参数中的哪个导致错误?

有没有办法获取扩展的错误信息，比如通过BcryptPropertyGet(可能是LAST_ERROR_PARAMETER 或类似的东西)?

还是微软希望我们猜测问题?在这种情况下，我想答案是你不能".

Microsoft 文档未提供使用 Bcrypt 的示例.我也无法在 Stack Overflow 或 MSDN 上找到有用的示例.甚至

我今天大部分时间都在努力解决这个问题.虽然我没有一个很好的方法来回答你的问题，即如何以通用的方式确定哪个参数是坏的，但我将把这些花絮留在这里以供后代:

1. BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO的cbTag字段需要从头设置.pbTag 在生成或验证标记的最终调用之前不是必需的，但 cbTag 必须始终存在.
2. 当将调用链接在一起时，BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO 结构的 pbNonce 字段必须为所有调用保持设置(通过使用 BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG).
3. 在加密或解密链(再次使用 BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG)期间的所有调用，除了最后一个，都必须提供大小为算法块大小倍数的输入.我认为文档实际上是这样说的，但是当他们明确告诉您不要设置 BCRYPT_BLOCK_PADDING 标志(使用经过身份验证的密码)时，这一点并不十分清楚.

我正在处理的代码最终将成为库的一部分这里，这有望为下一个人提供一个工作示例.

I'm trying to use BCryptEncrypt to authenticate some AAD but the function is failing with STATUS_INVALID_PARAMETER. BCryptEncrypt takes 10 parameters. One of the parameters is BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO. BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO takes another 13 parameters.

Running my test program results in:

>.\bcrypt-gmac.exe
BCryptEncrypt error, 0xc000000d (STATUS_INVALID_PARAMETER)

STATUS_INVALID_PARAMETER is not very helpful in this case.

My question is, how do I determine which of the 23 parameters is causing the error when using Bcrypt?

Is there a way to get extended error information, like through BcryptPropertyGet (maybe a LAST_ERROR_PARAMETER or something similar)?

Or does Microsoft expect us to guess at the problem? In this case, I guess the answer is, "you can't".

The Microsoft docs don't provide examples of using Bcrypt. I also cannot find helpful examples on Stack Overflow or MSDN. Even Writing Secure Code for Windows Vista fails to provide examples.

Here is the treatment in Writing Secure Code for Windows Vista. It amounts to pseudo-code, which is very disappointing:

I spent the better part of the day today struggling with this very issue. While I don't have a good way to answer your question as to how to determine, in a generic way, which parameter exactly is bad, I'll leave these few tidbits here for posterity:

1. The cbTag field of the BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO needs to be set from the beginning. The pbTag isn't necessary until the final call that produces or verifies the tag, but cbTag must always be present.
2. The pbNonce field of the BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO structure must remain set for all calls when chaining calls together (by using BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG).
3. All calls during a chain (again using BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG) of encryptions or decryptions, except for the last, must provide an input whose size is a multiple of the algorithm's block size. I think the documentation actually says this, but it's not abundantly clear when they explicitly tell you not to set the BCRYPT_BLOCK_PADDING flag (with authenticated ciphers).

The code I'm working on will eventually be part of the library here, which will hopefully provide a working example to the next person.

这篇关于如何确定 23 个参数中的哪一个是 STATUS_INVALID_PARAMETER?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！