The MAC is generated by hashing one of the MAC keys (via CryptHashSessionKey) together with the message contents and other data. The message is encrypted/decrypted with one of the bulk encryption keys in the usual manner.
When using a block cipher, the protocol engine does all necessary block cipher padding. When CryptEncrypt and CryptDecrypt are called, the Final flag is always FALSE and the data length a whole multiple of blocks.
Note The CSP must never buffer data internally. Once the data has been encrypted (or decrypted), the size of the plaintext must always exactly match the size of the ciphertext.