Skip to content

Commit

Permalink
Fix SSPI ComputeIntegrityCheck with Sign level (#105605)
Browse files Browse the repository at this point in the history 
Fix calling NegotiateAuthentication.ComputeIntegrityCheck on SSPI when
the negotiation context was built with ProtectionLevel.Sign. The
SECQOP_WRAP_NO_ENCRYPT QoP flag should not be set when calling GetMIC as
no encryption is involved and some authentication providers fail when
this is set.

Fix #103461

Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
  • Loading branch information
@jborean93 @wfurt
jborean93 and wfurt committed Aug 20, 2024
1 parent 2791df7 commit 3622bfa
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Windows.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -587,8 +587,7 @@ public override unsafe void GetMIC(ReadOnlySpan<byte> message, IBufferWriter<byt
pBuffers = unmanagedBuffer
};

uint qop = IsEncrypted ? 0 : Interop.SspiCli.SECQOP_WRAP_NO_ENCRYPT;
int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, qop, ref sdcInOut, 0);
int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, 0, ref sdcInOut, 0);

if (errorCode != 0)
{
Expand Down

0 comments on commit 3622bfa

Please sign in to comment.