Fix calculation of channel bindings hash in managed NTLM implementation (#102565)

Author: filipnavara

src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.ManagedNtlm.cs

@@ -416,10 +416,23 @@ private unsafe void WriteChannelBindingHash(Span<byte> hashBuffer)
             {
                 if (_channelBinding != null)
                 {
-                    IntPtr cbtData = _channelBinding.DangerousGetHandle();
-                    int cbtDataSize = _channelBinding.Size;
-                    int written = MD5.HashData(new Span<byte>((void*)cbtData, cbtDataSize), hashBuffer);
-                    Debug.Assert(written == MD5.HashSizeInBytes);
+                    int appDataOffset = sizeof(SecChannelBindings);
+                    IntPtr cbtData = (nint)_channelBinding.DangerousGetHandle() + appDataOffset;
+                    int cbtDataSize = _channelBinding.Size - appDataOffset;
+
+                    // Channel bindings are calculated according to RFC 4121, section 4.1.1.2,
+                    // so we need to include zeroed initiator fields and length prefix for the
+                    // application data.
+                    Span<byte> prefix = stackalloc byte[sizeof(uint) * 5];
+                    prefix.Clear();
+                    BinaryPrimitives.WriteInt32LittleEndian(prefix.Slice(sizeof(uint) * 4), cbtDataSize);
+                    using (var md5 = IncrementalHash.CreateHash(HashAlgorithmName.MD5))
+                    {
+                        md5.AppendData(prefix);
+                        md5.AppendData(new Span<byte>((void*)cbtData, cbtDataSize));
+                        int written = md5.GetHashAndReset(hashBuffer);
+                        Debug.Assert(written == MD5.HashSizeInBytes);
+                    }
                 }
                 else
                 {

src/libraries/System.Net.Security/src/System/Net/NegotiateAuthenticationPal.Unix.cs

@@ -551,7 +551,7 @@ Interop.NetSecurityNative.Status status
                 }
             }
 
-            private NegotiateAuthenticationStatusCode InitializeSecurityContext(
+            private unsafe NegotiateAuthenticationStatusCode InitializeSecurityContext(
                 ref SafeGssCredHandle credentialsHandle,
                 ref SafeGssContextHandle? contextHandle,
                 ref SafeGssNameHandle? targetNameHandle,
@@ -594,7 +594,7 @@ private NegotiateAuthenticationStatusCode InitializeSecurityContext(
                     {
                         // If a TLS channel binding token (cbt) is available then get the pointer
                         // to the application specific data.
-                        int appDataOffset = Marshal.SizeOf<SecChannelBindings>();
+                        int appDataOffset = sizeof(SecChannelBindings);
                         Debug.Assert(appDataOffset < channelBinding.Size);
                         IntPtr cbtAppData = channelBinding.DangerousGetHandle() + appDataOffset;
                         int cbtAppDataSize = channelBinding.Size - appDataOffset;

src/libraries/System.Net.Security/src/System/Net/Security/Pal.Managed/SafeChannelBindingHandle.cs

@@ -11,7 +11,7 @@ namespace System.Net.Security
     internal sealed class SafeChannelBindingHandle : ChannelBinding
     {
         private const int CertHashMaxSize = 128;
-        private static readonly int s_secChannelBindingSize = Marshal.SizeOf<SecChannelBindings>();
+        private static unsafe int SecChannelBindingSize => sizeof(SecChannelBindings);
 
         private readonly int _cbtPrefixByteArraySize;
         internal int Length { get; private set; }
@@ -36,8 +36,8 @@ internal unsafe SafeChannelBindingHandle(ChannelBindingKind kind)
                 "tls-unique:"u8;
 
             _cbtPrefixByteArraySize = cbtPrefix.Length;
-            handle = Marshal.AllocHGlobal(s_secChannelBindingSize + _cbtPrefixByteArraySize + CertHashMaxSize);
-            IntPtr cbtPrefixPtr = handle + s_secChannelBindingSize;
+            handle = Marshal.AllocHGlobal(SecChannelBindingSize + _cbtPrefixByteArraySize + CertHashMaxSize);
+            IntPtr cbtPrefixPtr = handle + SecChannelBindingSize;
             cbtPrefix.CopyTo(new Span<byte>((byte*)cbtPrefixPtr, cbtPrefix.Length));
             CertHashPtr = cbtPrefixPtr + _cbtPrefixByteArraySize;
             Length = CertHashMaxSize;
@@ -46,12 +46,12 @@ internal unsafe SafeChannelBindingHandle(ChannelBindingKind kind)
         internal void SetCertHashLength(int certHashLength)
         {
             int cbtLength = _cbtPrefixByteArraySize + certHashLength;
-            Length = s_secChannelBindingSize + cbtLength;
+            Length = SecChannelBindingSize + cbtLength;
 
             SecChannelBindings channelBindings = new SecChannelBindings()
             {
                 ApplicationDataLength = cbtLength,
-                ApplicationDataOffset = s_secChannelBindingSize
+                ApplicationDataOffset = SecChannelBindingSize
             };
             Marshal.StructureToPtr(channelBindings, handle, true);
         }