Fix SSPI ComputeIntegrityCheck with Sign level (dotnet#105605)

Fix calling NegotiateAuthentication.ComputeIntegrityCheck on SSPI when the negotiation context was built with ProtectionLevel.Sign. The SECQOP_WRAP_NO_ENCRYPT QoP flag should not be set when calling GetMIC as no encryption is involved and some authentication providers fail when this is set. Fix dotnet#103461 Co-authored-by: Tomas Weinfurt <tweinfurt@yahoo.com>
mikelle-rogers · Dec 4, 2024 · 7390b3b · 7390b3b
1 parent 965862c
commit 7390b3b
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Windows.cs
@@ -587,8 +587,7 @@ public override unsafe void GetMIC(ReadOnlySpan<byte> message, IBufferWriter<byt
                             pBuffers = unmanagedBuffer
                         };
 
-                        uint qop = IsEncrypted ? 0 : Interop.SspiCli.SECQOP_WRAP_NO_ENCRYPT;
-                        int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, qop, ref sdcInOut, 0);
+                        int errorCode = Interop.SspiCli.MakeSignature(ref _securityContext._handle, 0, ref sdcInOut, 0);
 
                         if (errorCode != 0)
                         {