News  [SoftwareSite

Latest News
Older News
RSS Feed
 
Complete Projects
Useful Classes
Top Downloads
Message Board
AllAPI.net
 
Send Comments
Software License
Mentalis.org Buttons
Donate
 
Forums -> Security Library Forum
 
AES Ciphers Cause Excpetion (on some systems)  
by JD [jconley at winfessor dot com]
posted on 2005/01/07

I have finally tracked down a bug that has been plaguing us for the last year or so, but I don't know what to do about it. On some systems (they all appear to be Windows 2003 Server, and usually domain controllers) AES ciphers do not work from the server side. If any AES ciphers are specified during a ChangeProtocol call (like with the default SECURE_PROTOCOLS set) an exception may be thrown. If I choose any cipher set that does not use AES the exception does not occur. I assume it is some sort of permissions issue with the unmanaged Rijndael provider, but I'm not sure what. The stack is as follows:

Org.Mentalis.Security.SecurityException: An error occurs while communicating with the remote host.
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.Cryptography.CryptographicException: Couldn't acquire crypto service provider context.
at Org.Mentalis.Security.Cryptography.CAPIProvider.CreateHandle()
at Org.Mentalis.Security.Cryptography.RijndaelCryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly)
at System.Activator.CreateInstance(Type type, Boolean nonPublic)
at Org.Mentalis.Security.Ssl.Tls1.Tls1CipherSuites.InitializeCipherSuite(Byte[] master, Byte[] clientrnd, Byte[] serverrnd, CipherDefinition definition, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.CipherSuites.GetCipherSuite(SecureProtocol protocol, Byte[] master, Byte[] clientrnd, Byte[] serverrnd, SslAlgorithms scheme, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.GenerateCiphers(Byte[] premaster)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessClientKeyExchange(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessMessage(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)
at Org.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[] buffer, Int32 offset, Int32 size)
at Org.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar) ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.Cryptography.CryptographicException: Couldn't acquire crypto service provider context.
at Org.Mentalis.Security.Cryptography.CAPIProvider.CreateHandle()
at Org.Mentalis.Security.Cryptography.RijndaelCryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly)
at System.Activator.CreateInstance(Type type, Boolean nonPublic)
at Org.Mentalis.Security.Ssl.Tls1.Tls1CipherSuites.InitializeCipherSuite(Byte[] master, Byte[] clientrnd, Byte[] serverrnd, CipherDefinition definition, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.CipherSuites.GetCipherSuite(SecureProtocol protocol, Byte[] master, Byte[] clientrnd, Byte[] serverrnd, SslAlgorithms scheme, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.GenerateCiphers(Byte[] premaster)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessClientKeyExchange(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessMessage(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)
at Org.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[] buffer, Int32 offset, Int32 size)
at Org.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar)
--- End of inner exception stack trace ---
at Org.Mentalis.Security.Ssl.SecureSocket.EndReceive(IAsyncResult asyncResult)
at MyLibrary.BeginReceiveCallback(IAsyncResult ar)

by JD [jconley at winfessor dot com]
posted on 2005/01/07

I need to clarify something from my last message. When I said ciphers I mean those available in the SslAlgorithms enumeration and SECURE_PROTOCOLS should have said SECURE_CIPHERS.

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2005/01/08

The problem should be resolved in the latest version of the library.

by JD [jconley at winfessor dot com]
posted on 2005/01/08

It doesn't seem to have fixed this particular issue. I just rebuilt everything with the latest versioin of the library and am still having the issue. If I remove AES from the set of ciphers on either the client or the server it works, if I leave AES in there it does not work and the exception above occurs on the server. Do you have any thoughts on how I might figure out the root cause of the issue?

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2005/01/08

Is it the exact same error? And are you sure you're not calling the old assembly [for instance, if it's still in the GAC]?
If there's a problem with the unmanaged AES implementation, the RijndaelCryptoServiceProvider falls back to the RijndaelManaged class, so you shouldn't see any errors.
The line that threw the error you mentioned in your first post also has a try-catch handler around it now, so it shouldn't be able to throw exceptions anymore.

by JD [jconley at winfessor dot com]
posted on 2005/01/09

Actually, the stack trace is a bit different, but the end result is the same. Just as a little context, this server is running as an Active Directory user account as a service. The ChangeSecurity call is triggered by data that is received from the client (we're doing STARTTLS) so the call executes in an IOCP thread from the begin receive callback.

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.Cryptography.CryptographicException: Couldn't acquire crypto service provider context.
at Org.Mentalis.Security.Cryptography.CAPIProvider.CreateInternalHandle(Int32& handle, String container)
at Org.Mentalis.Security.Cryptography.RijndaelCryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly)
at System.Activator.CreateInstance(Type type, Boolean nonPublic)
at Org.Mentalis.Security.Ssl.Tls1.Tls1CipherSuites.InitializeCipherSuite(Byte[] master, Byte[] clientrnd, Byte[] serverrnd, CipherDefinition definition, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.CipherSuites.GetCipherSuite(SecureProtocol protocol, Byte[] master, Byte[] clientrnd, Byte[] serverrnd, SslAlgorithms scheme, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.GenerateCiphers(Byte[] premaster)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessClientKeyExchange(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessMessage(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)
at Org.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[] buffer, Int32 offset, Int32 size)
at Org.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar) ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Security.Cryptography.CryptographicException: Couldn't acquire crypto service provider context.
at Org.Mentalis.Security.Cryptography.CAPIProvider.CreateInternalHandle(Int32& handle, String container)
at Org.Mentalis.Security.Cryptography.RijndaelCryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly)
at System.Activator.CreateInstance(Type type, Boolean nonPublic)
at Org.Mentalis.Security.Ssl.Tls1.Tls1CipherSuites.InitializeCipherSuite(Byte[] master, Byte[] clientrnd, Byte[] serverrnd, CipherDefinition definition, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.CipherSuites.GetCipherSuite(SecureProtocol protocol, Byte[] master, Byte[] clientrnd, Byte[] serverrnd, SslAlgorithms scheme, ConnectionEnd entity)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.GenerateCiphers(Byte[] premaster)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessClientKeyExchange(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.ServerHandshakeLayer.ProcessMessage(HandshakeMessage message)
at Org.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)
at Org.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[] buffer, Int32 offset, Int32 size)
at Org.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar)
--- End of inner exception stack trace ---
at Org.Mentalis.Security.Ssl.SecureSocket.EndReceive(IAsyncResult asyncResult)
at MyLibrary.BeginReceiveCallback(IAsyncResult ar)

by JD Conley [jconley at coversant dot net]
posted on 2005/03/02

I didn't realize a new build was posted on 1/8/2005 that resolved this issue. I thought you were referring to the 1/6/2005 build. It does appear that the 1/8/2005 build fixed the issue. What else changed in that build?

 

Copyright © 2002-2007, The Mentalis.org Team. All rights reserved.
This site is located at http://www.mentalis.org/
Send comments to the webmaster.