Memory is handled through a list of descriptors for the buffers being passed to the functions. Because certain protocols require access to an entire message, the entire message is available. To ensure application integrity, however, you can prohibit a package from modifying an area of a message.
The context functions use the SECBUFFER and SECBUFFERDESC structures to pass memory buffers. The client creates an array of SECBUFFER structures that references only the buffers that the application will be passing to the package. The security package may indicate that it looks at only the security portion of a message, and that the SSPI client need not provide the other portions of the message. By passing only portions of a message instead of an entire message, performance improves.
SECBUFFERDESC is a header that includes a pointer to the array of SECBUFFER structures. The following code example shows how the server initializes an array of buffers when it calls the AcceptSecurityContext function. The last buffer contains the opaque security token received by the client. The SECBUFFER_READONLY flag is also set.
SecBuffer Buffers[3];
SecBufferDesc BufferDesc;
// Set up the buffer descriptors.
BufferDesc.ulVersion = SECBUFFER_VERSION;
BufferDesc.cBuffers = 3;
BufferDesc.pBuffers = &Buffers[0];
Buffers[0].cbBuffer = sizeof (Protocol_Header);
Buffers[0].BufferType = SECBUFFER_READONLY | SECBUFFER_DATA;
Buffers[0].pvBuffer = pHeader;
Buffers[1].cbBuffer = pHeader->MessageSize;
Buffers[1].BufferType = SECBUFFER_DATA;
Buffers[1].pvBuffer = pMessage;
Buffers[2].cbBuffer = pHeader->TrailerSize;
Buffers[2].BufferType = SECBUFFER_READONLY | SECBUFFER_TOKEN;
Buffers[2].pvBuffer = pSecurityTrailer;