[release/8.0] Fix Windows implementation of NegotiateAuthenticationPal.GetMIC

[filipnavara]

Partial backport of PR #96712.

Fixes #97942.

Customer Impact

• Customer reported
• Found internally

The NegotiateStream API sends incorrectly wrapped data on Windows when ProtectionLevel.Sign is used and NTLM is used as the underlying algorithm. Other platforms are not affected, other protection levels like ProtectionLevel.EncryptAndSign are not affected either.

Regression

• Yes
• No

Regression was introduced with PR #86948 in .NET 8. We lacked sufficient testing which was rectified in #96712 in .NET 9 when public APIs were added to expose the internal method. This PR backports the bug fix that was merged as part of PR #96712.

Testing

Tests were added in #96712 in main branch when the functionality was exposed as public API. The bug in the Windows implementation was uncovered by those tests and fixed. The customer who reported this issue in #97942 for .NET 8 has verified that the scenario is now fixed on .NET 9 nightly builds.

Specific changes in this PR have also been tested against the repro provided in #97942.

Risk

Low

The error is well understood, and the fix was already done in main branch last month. .NET 8 exposed this implementation detail only through the NegotiateStream API in a specific combination of parameters.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes #97942.

Customer Impact

• Customer reported
• Found internally

The NegotiateStream API sends incorrectly wrapped data on Windows when ProtectionLevel.Sign is used and NTLM is used as the underlying algorithm. Other platforms are not affected, other protection levels like ProtectionLevel.EncryptAndSign are not affected either.

Regression

• Yes
• No

Regression was introduced in PR #86948 in .NET 8. We lacked sufficient testing which was rectified in #96712 in .NET 9 when public APIs were added to expose the internal method. This PR backports the bug fix that was merged as part of PR #96712.

Testing

Tests were added in #96712 in main branch when the functionality was exposed as public API. The bug in the Windows implementation was uncovered by those tests and fixed. The customer who reported this issue in #97942 for .NET 8 has verified that the scenario is now fixed on .NET 9 nightly builds.

Risk

Low

The error is well understood, and the fix was already done in main branch last month.

Author:	filipnavara
Assignees:	-
Labels:	area-System.Net.Security
Milestone:	-

[rzikm]

LGTM

[danmoseley]

please get approval by mail for this one

[carlossanlop]

Friendly reminder that Monday February 12th is the Code Complete deadline for the March Release.

[stephentoub]

We don't want to backport the tests as well?

[filipnavara]

We don't want to backport the tests as well?

The tests use new public API that was introduced in .NET 9. It makes it rather non-trivial to port them.

[rzikm]

Approved via email

[rzikm]

Ci is green

[filipnavara]

Thanks for taking care of it!