TLS Handshake process by InitializeSecurityContext (Schannel)

Question

I have to implement an TLS handshake process using the SSPI interface.
My app implements the client side, and as I saw from here the general flow is:

1. InitializeSecurityContext - first call return a pointer to a SecBufferDesc structure.
2. Call to send( =WinSock API) function with the output buffers.
3. Call to recv function
4. Call to InitializeSecurityContext again with the buffers.

The MSDN explanation about these buffers:

"On calls to this function after the initial call, there must be two buffers. The first has type SECBUFFER_TOKEN and contains the token received from the server. The second buffer has type SECBUFFER_EMPTY; set both the pvBuffer and cbBuffer members to zero."

My questions:

1. I need some more explanation: what is the meaning of the buffers? what does the second buffer contain? what are they for?
2. In the MSDN is written that the TargetDataRep input parameter of InitializeSecurityContext function is nut used for Schannel, but many samples that I saw set it to SECURITY_NATIVE_DREP. what is SECURITY_NATIVE_DREP flag? why does the MSDN say to set it to zero?

I will realy appreciate any help.
Thanks!.

Answer 1

1. SChannel gives you a layer of abstraction to be able to transfer data buffers over secure channels. The API is designed in the way that when you send a piece of data, you supply two data buffers - the actual data (payload) and the second buffer which holds secure channel token/context. It is assumed that you will be attaching this buffer to every payload buffer you are pushing through, e.g. because the API is not designed keep and manage this data internally e.g. with a handle.

2. InitializeSecurityContext applies not only to SChannel package, in other scenarios this parameter is used and perhaps sample code you had a chance to see what related to a different package, or copied from there or applies to both.