NTLM: Enable MIC generation with the gss-ntlmssp provider #65627
Conversation
ghost
added
the
community-contribution
|
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsRef: #65611 (comment)
|
|
Closing for now since the necessary tests are missing and the MIC calculation doesn't pass them. Either the tests are incorrect (even though they pass on Windows and macOS) or the calculation in gss-ntlmssp is incorrect. |
|
Preliminary analysis seems to suggest that gss-ntlmssp incorrectly interprets the lack of version negotiation as lack of the VERSION field in the messages. The MIC offset would those be shifted. This doesn't seem to be in line with the specification which says the VERSION should still be present be can be set to zeros. |
|
BTW I'm not sure if we should force it anyhow. We certainly don't on macOS so if gss-ntlmssp does not do it on it's own that looks like improvement that can be made there. |
|
macOS always generates it and so does any recent version of Windows. I already filed bug on gss-ntlmssp to fix it there. |
ghost
locked as resolved and limited conversation to collaborators
Ref: #65611 (comment)
The MIC is currently not sent due to this code branch.
It seems like there may be a way to enforce it by calling
gss_inquire_sec_context_by_oidwith the1.3.6.1.4.1.7165.655.1.2OID. The provider implements it here.