Fix SSPI ComputeIntegrityCheck with Sign level (#105605)

jborean93 · wfurt · web-flow · commit 3622bfa4329f · 2024-08-20T10:50:44.000+02:00
Fix calling NegotiateAuthentication.ComputeIntegrityCheck on SSPI when the negotiation context was built with ProtectionLevel.Sign. The SECQOP_WRAP_NO_ENCRYPT QoP flag should not be set when calling GetMIC as no encryption is involved and some authentication providers fail when this is set. Fix #103461 Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
diff --git a/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Windows.cs
@@ -587,8 +587,7 @@ public override unsafe void GetMIC(ReadOnlySpan<byte> message, IBufferWriter<byt
                             pBuffers = unmanagedBuffer
                         };
 
-                        uint qop = IsEncrypted ? 0 : Interop.SspiCli.SECQOP_WRAP_NO_ENCRYPT;
-                        int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, qop, ref sdcInOut, 0);
+                        int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, 0, ref sdcInOut, 0);
 
                         if (errorCode != 0)
                         {

Original file line number	Diff line number	Diff line change
`@@ -587,8 +587,7 @@ public override unsafe void GetMIC(ReadOnlySpan<byte> message, IBufferWriter<byt`
`587`	`587`	`pBuffers = unmanagedBuffer`
`588`	`588`	`};`
`589`	`589`
`590`		`- uint qop = IsEncrypted ? 0 : Interop.SspiCli.SECQOP_WRAP_NO_ENCRYPT;`
`591`		`- int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, qop, ref sdcInOut, 0);`
	`590`	`+ int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, 0, ref sdcInOut, 0);`
`592`	`591`
`593`	`592`	`if (errorCode != 0)`
`594`	`593`	`{`