Fix SSPI ComputeIntegrityCheck with Sign level#105605
Conversation
Fix calling NegotiateAuthentication.ComputeIntegrityCheck on SSPI when the negotiation context was built with ProtectionLevel.Sign. The SECQOP_WRAP_NO_ENCRYPT QoP flag should not be set when calling GetMIC as no encryption is involved and some authentication providers fail when this is set. Fix dotnet#103461
|
The failure occurred when using Kerberos on SSPI which isn't possible to test on CI. I've verified it manually with the reproducer in #103461 as well as the SshClient I was originally using to test this scenario out. |
wfurt
left a comment
There was a problem hiding this comment.
LGTM. Is there risk that this can impact typical authentication @filipnavara ?
TL;DR: No, we don't use this API in the runtime itself. The API is used in the runtime only for implementing SPNEGO (Unix only managed impl.) and for |
|
Just checking if this is waiting on anything from myself like rebasing the commit from the latest. Just hoping this can be preset in .NET 9 where this API was introduced publicly. |
Sorry, this has slipped our attention. It looks good to merge. Unfortunately, we are past the .NET 9.0 branch off, so now we need to treat this as regular servicing. @jborean93 how much does the bug affect you? Is there a workaround? @karelz this is fixing a bug in new API introduced in .NET 9, how strong business justification do we need to get this serviced? |
|
It’s not the end of the world, I am not familiar with the back porting policies and assumed it would have been easy to do so. If it’s not then that’s fine, especially since it’s not an LTS release. |
|
I think we should try to get it in. I'll try to figure it with @karelz |
Fix calling NegotiateAuthentication.ComputeIntegrityCheck on SSPI when the negotiation context was built with ProtectionLevel.Sign. The SECQOP_WRAP_NO_ENCRYPT QoP flag should not be set when calling GetMIC as no encryption is involved and some authentication providers fail when this is set.
Fix #103461