It came to my intention that this sample code – which shows how to plug-in a new symmetric algorithm (e.g. Twofish) via CNG (Crypto API: Next Generation) and CMS (Cryptographic Message Syntax) – has a usage error in the CMS portion.

http://download.microsoft.com/download/f/1/2/f12dbbb5-d164-4e7c-b42d-aaca3efb85dc/CNGSample.EXE

Specifically, the BCryptSetProperty BCRYPT_CHAINING_MODE call is supposed to be made against the provider handle, and not the key handle. Also, the property data input length should correspond the length of the whole property string, and not just the size of the pointer. In other words, this code:

CHECK_DWORD((DWORD) BCryptSetProperty(

*phCNGContentEncryptKey,

BCRYPT_CHAINING_MODE,

(PBYTE) BCRYPT_CHAIN_MODE_CBC,

sizeof(LPWSTR),

0));

should actually be this:

CHECK_DWORD((DWORD) BCryptSetProperty(

hAlgorithm,

BCRYPT_CHAINING_MODE,

(PBYTE) BCRYPT_CHAIN_MODE_CBC,

sizeof(WCHAR) * (1 + wcslen(BCRYPT_CHAIN_MODE_CBC)), 0));

Now, to be clear, I haven’t tested the latter. Furthermore, I was told that the former, while technically incorrect, is allowed (at least in the Vista RTM version of CNG).

No Comments »