Merge remote-tracking branch 'upstream/master'

client/DirectFB/df_graphics.c

@@ -90,18 +90,33 @@ void df_Pointer_Set(rdpContext* context, rdpPointer* pointer)
 
 	dfi->layer->SetCooperativeLevel(dfi->layer, DLSCL_ADMINISTRATIVE);
 
-	result = dfi->layer->SetCursorShape(dfi->layer,
+	dfi->layer->SetCursorOpacity(dfi->layer, df_pointer ? 255: 0);
+
+	if(df_pointer != NULL)
+	{
+		result = dfi->layer->SetCursorShape(dfi->layer,
 			df_pointer->surface, df_pointer->xhot, df_pointer->yhot);
 
-	if (result != DFB_OK)
-	{
-		DirectFBErrorFatal("SetCursorShape Error", result);
-		return;
+		if (result != DFB_OK)
+		{
+			DirectFBErrorFatal("SetCursorShape Error", result);
+			return;
+		}
 	}
 
 	dfi->layer->SetCooperativeLevel(dfi->layer, DLSCL_SHARED);
 }
 
+void df_Pointer_SetNull(rdpContext* context)
+{
+	df_Pointer_Set(context, NULL);
+}
+
+void df_Pointer_SetDefault(rdpContext* context)
+{
+
+}
+
 /* Graphics Module */
 
 void df_register_graphics(rdpGraphics* graphics)
@@ -114,6 +129,8 @@ void df_register_graphics(rdpGraphics* graphics)
 	pointer->New = df_Pointer_New;
 	pointer->Free = df_Pointer_Free;
 	pointer->Set = df_Pointer_Set;
+	pointer->SetNull = df_Pointer_SetNull;
+	pointer->SetDefault = df_Pointer_SetDefault;
 
 	graphics_register_pointer(graphics, pointer);
 	xfree(pointer);

client/Windows/wf_graphics.c

@@ -216,6 +216,16 @@ void wf_Pointer_Set(rdpContext* context, rdpPointer* pointer)
 
 }
 
+void wf_Pointer_SetNull(rdpContext* context)
+{
+
+}
+
+void wf_Pointer_SetDefault(rdpContext* context)
+{
+
+}
+
 /* Graphics Module */
 
 void wf_register_graphics(rdpGraphics* graphics)
@@ -236,6 +246,8 @@ void wf_register_graphics(rdpGraphics* graphics)
 	pointer.New = wf_Pointer_New;
 	pointer.Free = wf_Pointer_Free;
 	pointer.Set = wf_Pointer_Set;
+	pointer.SetNull = wf_Pointer_SetNull;
+	pointer.SetDefault = wf_Pointer_SetDefault;
 
 	graphics_register_bitmap(graphics, &bitmap);
 	graphics_register_pointer(graphics, &pointer);

client/X11/xf_graphics.c

@@ -191,6 +191,36 @@ void xf_Pointer_Set(rdpContext* context, rdpPointer* pointer)
 	if (xfi->window != NULL)
 		XDefineCursor(xfi->display, xfi->window->handle, ((xfPointer*) pointer)->cursor);
 }
+
+void xf_Pointer_SetNull(rdpContext* context)
+{
+	xfInfo* xfi = ((xfContext*) context)->xfi;
+	static Cursor nullcursor = None;
+
+	if (nullcursor == None)
+	{
+		XcursorImage ci;
+		XcursorPixel xp = 0;
+		memset(&ci, 0, sizeof(ci));
+		ci.version = XCURSOR_IMAGE_VERSION;
+		ci.size = sizeof(ci);
+		ci.width = ci.height = 1;
+		ci.xhot = ci.yhot = 0;
+		ci.pixels = &xp;
+		nullcursor = XcursorImageLoadCursor(xfi->display, &ci);
+	}
+	if (xfi->window != NULL && nullcursor != None)
+		XDefineCursor(xfi->display, xfi->window->handle, nullcursor);
+}
+
+void xf_Pointer_SetDefault(rdpContext* context)
+{
+	xfInfo* xfi = ((xfContext*) context)->xfi;
+
+	if (xfi->window != NULL)
+		XUndefineCursor(xfi->display, xfi->window->handle);
+}
+
 /* Glyph Class */
 
 void xf_Glyph_New(rdpContext* context, rdpGlyph* glyph)
@@ -302,6 +332,8 @@ void xf_register_graphics(rdpGraphics* graphics)
 	pointer->New = xf_Pointer_New;
 	pointer->Free = xf_Pointer_Free;
 	pointer->Set = xf_Pointer_Set;
+	pointer->SetNull = xf_Pointer_SetNull;
+	pointer->SetDefault = xf_Pointer_SetDefault;
 
 	graphics_register_pointer(graphics, pointer);
 	xfree(pointer);

cunit/test_sspi.c

@@ -29,11 +29,13 @@
 
 int init_sspi_suite(void)
 {
+	sspi_GlobalInit();
 	return 0;
 }
 
 int clean_sspi_suite(void)
 {
+	sspi_GlobalFinish();
 	return 0;
 }
 
@@ -69,6 +71,8 @@ void test_EnumerateSecurityPackages(void)
 					pPackageInfo[index].Name, pPackageInfo[index].Comment);
 		}
 	}
+
+	FreeContextBuffer(pPackageInfo);
 }
 
 void test_QuerySecurityPackageInfo(void)
@@ -196,6 +200,10 @@ void test_InitializeSecurityContext(void)
 	printf("BufferType: 0x%04X cbBuffer:%d\n", p_sec_buffer->BufferType, p_sec_buffer->cbBuffer);
 
 	freerdp_hexdump((uint8*) p_sec_buffer->pvBuffer, p_sec_buffer->cbBuffer);
+
+	table->FreeCredentialsHandle(&credentials);
+
+	FreeContextBuffer(pPackageInfo);
 }
 
 

include/freerdp/auth/sspi.h

@@ -23,6 +23,26 @@
 #include <freerdp/api.h>
 #include <freerdp/types.h>
 
+struct _SEC_INTEGER
+{
+	uint32 LowPart;
+	sint32 HighPart;
+};
+typedef struct _SEC_INTEGER SEC_INTEGER;
+
+typedef SEC_INTEGER SEC_TIMESTAMP;
+
+struct _SEC_PKG_INFO
+{
+	uint32 fCapabilities;
+	uint16 wVersion;
+	uint16 wRPCID;
+	uint32 cbMaxToken;
+	char* Name;
+	char* Comment;
+};
+typedef struct _SEC_PKG_INFO SEC_PKG_INFO;
+
 #define SECPKG_ID_NONE				0xFFFF
 
 #define SECPKG_FLAG_INTEGRITY			0x00000001
@@ -179,6 +199,196 @@ typedef uint32 SECURITY_STATUS;
 #define SECPKG_ATTR_NEGO_STATUS				32
 #define SECPKG_ATTR_CONTEXT_DELETED			33
 
+struct _SEC_PKG_CONTEXT_ACCESS_TOKEN
+{
+	void* AccessToken;
+};
+typedef struct _SEC_PKG_CONTEXT_ACCESS_TOKEN SEC_PKG_CONTEXT_ACCESS_TOKEN;
+
+struct _SEC_PKG_CONTEXT_SESSION_APP_DATA
+{
+	uint32 dwFlags;
+	uint32 cbAppData;
+	uint8* pbAppData;
+};
+typedef struct _SEC_PKG_CONTEXT_SESSION_APP_DATA SEC_PKG_CONTEXT_SESSION_APP_DATA;
+
+struct _SEC_PKG_CONTEXT_AUTHORITY
+{
+	char* sAuthorityName;
+};
+typedef struct _SEC_PKG_CONTEXT_AUTHORITY SEC_PKG_CONTEXT_AUTHORITY;
+
+struct _SEC_PKG_CONTEXT_CLIENT_SPECIFIED_TARGET
+{
+	char* sTargetName;
+};
+typedef struct _SEC_PKG_CONTEXT_CLIENT_SPECIFIED_TARGET SEC_PKG_CONTEXT_CLIENT_SPECIFIED_TARGET;
+
+typedef uint32 ALG_ID;
+
+struct _SEC_PKG_CONTEXT_CONNECTION_INFO
+{
+	uint32 dwProtocol;
+	ALG_ID aiCipher;
+	uint32 dwCipherStrength;
+	ALG_ID aiHash;
+	uint32 dwHashStrength;
+	ALG_ID aiExch;
+	uint32 dwExchStrength;
+};
+typedef struct _SEC_PKG_CONTEXT_CONNECTION_INFO SEC_PKG_CONTEXT_CONNECTION_INFO;
+
+struct _SEC_PKG_CONTEXT_CLIENT_CREDS
+{
+	uint32 AuthBufferLen;
+	uint8* AuthBuffer;
+};
+typedef struct _SEC_PKG_CONTEXT_CLIENT_CREDS SEC_PKG_CONTEXT_CLIENT_CREDS;
+
+struct _SEC_PKG_CONTEXT_DCE_INFO
+{
+	uint32 AuthzSvc;
+	void* pPac;
+};
+typedef struct _SEC_PKG_CONTEXT_DCE_INFO SEC_PKG_CONTEXT_DCE_INFO;
+
+struct _SEC_CHANNEL_BINDINGS
+{
+	uint32 dwInitiatorAddrType;
+	uint32 cbInitiatorLength;
+	uint32 dwInitiatorOffset;
+	uint32 dwAcceptorAddrType;
+	uint32 cbAcceptorLength;
+	uint32 dwAcceptorOffset;
+	uint32 cbApplicationDataLength;
+	uint32 dwApplicationDataOffset;
+};
+typedef struct _SEC_CHANNEL_BINDINGS SEC_CHANNEL_BINDINGS;
+
+struct _SEC_PKG_CONTEXT_BINDINGS
+{
+	uint32 BindingsLength;
+	SEC_CHANNEL_BINDINGS* Bindings;
+};
+typedef struct _SEC_PKG_CONTEXT_BINDINGS SEC_PKG_CONTEXT_BINDINGS;
+
+struct _SEC_PKG_CONTEXT_EAP_KEY_BLOCK
+{
+	uint8 rgbKeys[128];
+	uint8 rgbIVs[64];
+};
+typedef struct _SEC_PKG_CONTEXT_EAP_KEY_BLOCK SEC_PKG_CONTEXT_EAP_KEY_BLOCK;
+
+struct _SEC_PKG_CONTEXT_FLAGS
+{
+	uint32 Flags;
+};
+typedef struct _SEC_PKG_CONTEXT_FLAGS SEC_PKG_CONTEXT_FLAGS;
+
+struct _SEC_PKG_CONTEXT_KEY_INFO
+{
+	char* sSignatureAlgorithmName;
+	char* sEncryptAlgorithmName;
+	uint32 KeySize;
+	uint32 SignatureAlgorithm;
+	uint32 EncryptAlgorithm;
+};
+typedef struct _SEC_PKG_CONTEXT_KEY_INFO SEC_PKG_CONTEXT_KEY_INFO;
+
+struct _SEC_PKG_CONTEXT_LIFESPAN
+{
+	SEC_TIMESTAMP tsStart;
+	SEC_TIMESTAMP tsExpiry;
+};
+typedef struct _SEC_PKG_CONTEXT_LIFESPAN SEC_PKG_CONTEXT_LIFESPAN;
+
+struct _SEC_PKG_CONTEXT_NAMES
+{
+	char* sUserName;
+};
+typedef struct _SEC_PKG_CONTEXT_NAMES SEC_PKG_CONTEXT_NAMES;
+
+struct _SEC_PKG_CONTEXT_NATIVE_NAMES
+{
+	char* sClientName;
+	char* sServerName;
+};
+typedef struct _SEC_PKG_CONTEXT_NATIVE_NAMES SEC_PKG_CONTEXT_NATIVE_NAMES;
+
+struct _SEC_PKG_CONTEXT_NEGOTIATION_INFO
+{
+	SEC_PKG_INFO* PackageInfo;
+	uint32 NegotiationState;
+};
+typedef struct _SEC_PKG_CONTEXT_NEGOTIATION_INFO SEC_PKG_CONTEXT_NEGOTIATION_INFO;
+
+struct _SEC_PKG_CONTEXT_PACKAGE_INFO
+{
+	SEC_PKG_INFO* PackageInfo;
+};
+typedef struct _SEC_PKG_CONTEXT_PACKAGE_INFO SEC_PKG_CONTEXT_PACKAGE_INFO;
+
+struct _SEC_PKG_CONTEXT_PASSWORD_EXPIRY
+{
+	SEC_TIMESTAMP tsPasswordExpires;
+};
+typedef struct _SEC_PKG_CONTEXT_PASSWORD_EXPIRY SEC_PKG_CONTEXT_PASSWORD_EXPIRY;
+
+struct _SEC_PKG_CONTEXT_SESSION_KEY
+{
+	uint32 SessionKeyLength;
+	uint8* SessionKey;
+};
+typedef struct _SEC_PKG_CONTEXT_SESSION_KEY SEC_PKG_CONTEXT_SESSION_KEY;
+
+struct _SEC_PKG_CONTEXT_SESSION_INFO
+{
+	uint32 dwFlags;
+	uint32 cbSessionId;
+	uint8 rgbSessionId[32];
+};
+typedef struct _SEC_PKG_CONTEXT_SESSION_INFO SEC_PKG_CONTEXT_SESSION_INFO;
+
+struct _SEC_PKG_CONTEXT_SIZES
+{
+	uint32 cbMaxToken;
+	uint32 cbMaxSignature;
+	uint32 cbBlockSize;
+	uint32 cbSecurityTrailer;
+};
+typedef struct _SEC_PKG_CONTEXT_SIZES SEC_PKG_CONTEXT_SIZES;
+
+struct _SEC_PKG_CONTEXT_STREAM_SIZES
+{
+	uint32 cbHeader;
+	uint32 cbTrailer;
+	uint32 cbMaximumMessage;
+	uint32 cBuffers;
+	uint32 cbBlockSize;
+};
+typedef struct _SEC_PKG_CONTEXT_STREAM_SIZES SEC_PKG_CONTEXT_STREAM_SIZES;
+
+struct _SEC_PKG_CONTEXT_SUBJECT_ATTRIBUTES
+{
+	void *AttributeInfo;
+};
+typedef struct _SEC_PKG_CONTEXT_SUBJECT_ATTRIBUTES SEC_PKG_CONTEXT_SUBJECT_ATTRIBUTES;
+
+struct _SEC_PKG_CONTEXT_SUPPORTED_SIGNATURES
+{
+	uint16 cSignatureAndHashAlgorithms;
+	uint16* pSignatureAndHashAlgorithms;
+};
+typedef struct _SEC_PKG_CONTEXT_SUPPORTED_SIGNATURES SEC_PKG_CONTEXT_SUPPORTED_SIGNATURES;
+
+struct _SEC_PKG_CONTEXT_TARGET_INFORMATION
+{
+	uint32 MarshalledTargetInfoLength;
+	uint8* MarshalledTargetInfo;
+};
+typedef struct _SEC_PKG_CONTEXT_TARGET_INFORMATION SEC_PKG_CONTEXT_TARGET_INFORMATION;
+
 /* Security Credentials Attributes */
 
 #define SECPKG_CRED_ATTR_NAMES				1
@@ -293,17 +503,6 @@ typedef struct _SEC_PKG_CREDENTIALS_NAMES SEC_PKG_CREDENTIALS_NAMES;
 #define ASC_RET_NO_PROXY_BINDINGS		0x04000000
 #define ASC_RET_MISSING_BINDINGS		0x10000000
 
-struct _SEC_PKG_INFO
-{
-	uint32 fCapabilities;
-	uint16 wVersion;
-	uint16 wRPCID;
-	uint32 cbMaxToken;
-	char* Name;
-	char* Comment;
-};
-typedef struct _SEC_PKG_INFO SEC_PKG_INFO;
-
 #define SEC_AUTH_IDENTITY_ANSI			0x1
 #define SEC_AUTH_IDENTITY_UNICODE		0x2
 
@@ -329,15 +528,6 @@ typedef struct _SEC_HANDLE SEC_HANDLE;
 typedef SEC_HANDLE CRED_HANDLE;
 typedef SEC_HANDLE CTXT_HANDLE;
 
-struct _SEC_INTEGER
-{
-	uint32 LowPart;
-	sint32 HighPart;
-};
-typedef struct _SEC_INTEGER SEC_INTEGER;
-
-typedef SEC_INTEGER SEC_TIMESTAMP;
-
 #define SECBUFFER_VERSION			0
 
 /* Buffer Types */
@@ -515,4 +705,9 @@ FREERDP_API SECURITY_STATUS EncryptMessage(CTXT_HANDLE* phContext, uint32 fQOP,
 FREERDP_API SECURITY_STATUS MakeSignature(CTXT_HANDLE* phContext, uint32 fQOP, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo);
 FREERDP_API SECURITY_STATUS VerifySignature(CTXT_HANDLE* phContext, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo, uint32* pfQOP);
 
+/* Custom API */
+
+void sspi_GlobalInit();
+void sspi_GlobalFinish();
+
 #endif /* FREERDP_AUTH_SSPI_H */

include/freerdp/graphics.h

@@ -81,6 +81,8 @@ FREERDP_API void Bitmap_SetSurface(rdpContext* context, rdpBitmap* bitmap, boole
 typedef void (*pPointer_New)(rdpContext* context, rdpPointer* pointer);
 typedef void (*pPointer_Free)(rdpContext* context, rdpPointer* pointer);
 typedef void (*pPointer_Set)(rdpContext* context, rdpPointer* pointer);
+typedef void (*pPointer_SetNull)(rdpContext* context);
+typedef void (*pPointer_SetDefault)(rdpContext* context);
 
 struct rdp_pointer
 {
@@ -88,7 +90,9 @@ struct rdp_pointer
 	pPointer_New New; /* 1 */
 	pPointer_Free Free; /* 2 */
 	pPointer_Set Set; /* 3 */
-	uint32 paddingA[16 - 4]; /* 4 */
+	pPointer_SetNull SetNull; /* 4*/
+	pPointer_SetDefault SetDefault; /* 5 */
+	uint32 paddingA[16 - 6]; /* 6 */
 
 	uint32 xPos; /* 16 */
 	uint32 yPos; /* 17 */
@@ -106,6 +110,8 @@ FREERDP_API rdpPointer* Pointer_Alloc(rdpContext* context);
 FREERDP_API void Pointer_New(rdpContext* context, rdpPointer* pointer);
 FREERDP_API void Pointer_Free(rdpContext* context, rdpPointer* pointer);
 FREERDP_API void Pointer_Set(rdpContext* context, rdpPointer* pointer);
+FREERDP_API void Pointer_SetNull(rdpContext* context);
+FREERDP_API void Pointer_SetDefault(rdpContext* context);
 
 /* Glyph Class */
 

libfreerdp-auth/CMakeLists.txt

@@ -20,6 +20,8 @@
 set(FREERDP_AUTH_SRCS
 	NTLM/ntlm.c
 	NTLM/ntlm.h
+	NTLM/ntlm_compute.c
+	NTLM/ntlm_compute.h
 	NTLM/ntlm_message.c
 	NTLM/ntlm_message.h
 	sspi.c

libfreerdp-auth/NTLM/ntlm.c

@@ -26,7 +26,6 @@
 #include <freerdp/utils/memory.h>
 
 #include <freerdp/auth/sspi.h>
-#include <freerdp/auth/credssp.h>
 
 #include "ntlm.h"
 #include "../sspi.h"
@@ -35,6 +34,58 @@
 
 char* NTLM_PACKAGE_NAME = "NTLM";
 
+void ntlm_SetContextIdentity(NTLM_CONTEXT* context, SEC_AUTH_IDENTITY* identity)
+{
+	size_t size;
+	context->identity.Flags = SEC_AUTH_IDENTITY_UNICODE;
+
+	if (identity->Flags == SEC_AUTH_IDENTITY_ANSI)
+	{
+		context->identity.User = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->User, &size);
+		context->identity.UserLength = (uint32) size;
+
+		if (identity->DomainLength > 0)
+		{
+			context->identity.Domain = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->Domain, &size);
+			context->identity.DomainLength = (uint32) size;
+		}
+		else
+		{
+			context->identity.Domain = (uint16*) NULL;
+			context->identity.DomainLength = 0;
+		}
+
+		context->identity.Password = (uint16*) freerdp_uniconv_out(context->uniconv, (char*) identity->Password, &size);
+		context->identity.PasswordLength = (uint32) size;
+	}
+	else
+	{
+		context->identity.User = (uint16*) xmalloc(identity->UserLength);
+		memcpy(context->identity.User, identity->User, identity->UserLength);
+
+		if (identity->DomainLength > 0)
+		{
+			context->identity.Domain = (uint16*) xmalloc(identity->DomainLength);
+			memcpy(context->identity.Domain, identity->Domain, identity->DomainLength);
+		}
+		else
+		{
+			context->identity.Domain = (uint16*) NULL;
+			context->identity.DomainLength = 0;
+		}
+
+		context->identity.Password = (uint16*) xmalloc(identity->PasswordLength);
+		memcpy(context->identity.Password, identity->User, identity->PasswordLength);
+	}
+}
+
+void ntlm_SetContextWorkstation(NTLM_CONTEXT* context, char* Workstation)
+{
+	size_t size;
+	context->Workstation = (uint16*) freerdp_uniconv_out(context->uniconv, Workstation, &size);
+	context->WorkstationLength = (uint32) size;
+}
+
 NTLM_CONTEXT* ntlm_ContextNew()
 {
 	NTLM_CONTEXT* context;
@@ -46,6 +97,8 @@ NTLM_CONTEXT* ntlm_ContextNew()
 		context->ntlm_v2 = false;
 		context->NegotiateFlags = 0;
 		context->state = NTLM_STATE_INITIAL;
+		context->uniconv = freerdp_uniconv_new();
+		context->av_pairs = (AV_PAIRS*) xzalloc(sizeof(AV_PAIRS));
 	}
 
 	return context;
@@ -82,6 +135,23 @@ SECURITY_STATUS ntlm_AcquireCredentialsHandle(char* pszPrincipal, char* pszPacka
 	return SEC_E_OK;
 }
 
+SECURITY_STATUS ntlm_FreeCredentialsHandle(CRED_HANDLE* phCredential)
+{
+	CREDENTIALS* credentials;
+
+	if (!phCredential)
+		return SEC_E_INVALID_HANDLE;
+
+	credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+
+	if (!credentials)
+		return SEC_E_INVALID_HANDLE;
+
+	sspi_CredentialsFree(credentials);
+
+	return SEC_E_OK;
+}
+
 SECURITY_STATUS ntlm_QueryCredentialsAttributes(CRED_HANDLE* phCredential, uint32 ulAttribute, void* pBuffer)
 {
 	if (ulAttribute == SECPKG_CRED_ATTR_NAMES)
@@ -108,27 +178,94 @@ SECURITY_STATUS ntlm_InitializeSecurityContext(CRED_HANDLE* phCredential, CTXT_H
 		SEC_BUFFER_DESC* pOutput, uint32* pfContextAttr, SEC_TIMESTAMP* ptsExpiry)
 {
 	NTLM_CONTEXT* context;
-	SEC_BUFFER* sec_buffer;
+	SECURITY_STATUS status;
+	CREDENTIALS* credentials;
+	SEC_BUFFER* input_sec_buffer;
+	SEC_BUFFER* output_sec_buffer;
 
-	if (pInput == NULL)
+	context = sspi_SecureHandleGetLowerPointer(phContext);
+
+	if (!context)
 	{
 		context = ntlm_ContextNew();
 
+		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+
+		ntlm_SetContextIdentity(context, &credentials->identity);
+		ntlm_SetContextWorkstation(context, "WORKSTATION");
+
+		sspi_SecureHandleSetLowerPointer(phNewContext, context);
+		sspi_SecureHandleSetUpperPointer(phNewContext, (void*) NTLM_PACKAGE_NAME);
+	}
+
+	if ((!pInput) || (context->state == NTLM_STATE_AUTHENTICATE))
+	{
 		if (!pOutput)
 			return SEC_E_INVALID_TOKEN;
 
 		if (pOutput->cBuffers < 1)
 			return SEC_E_INVALID_TOKEN;
 
-		sec_buffer = &pOutput->pBuffers[0];
+		output_sec_buffer = &pOutput->pBuffers[0];
 
-		if (sec_buffer->BufferType != SECBUFFER_TOKEN)
+		if (output_sec_buffer->BufferType != SECBUFFER_TOKEN)
 			return SEC_E_INVALID_TOKEN;
 
-		if (sec_buffer->cbBuffer < 1)
+		if (output_sec_buffer->cbBuffer < 1)
 			return SEC_E_INSUFFICIENT_MEMORY;
 
-		return ntlm_write_NegotiateMessage(context, sec_buffer);
+		if (context->state == NTLM_STATE_INITIAL)
+			context->state = NTLM_STATE_NEGOTIATE;
+
+		if (context->state == NTLM_STATE_NEGOTIATE)
+			return ntlm_write_NegotiateMessage(context, output_sec_buffer);
+
+		return SEC_E_OUT_OF_SEQUENCE;
+	}
+	else
+	{
+		context = (NTLM_CONTEXT*) sspi_SecureHandleGetLowerPointer(phContext);
+
+		if (!context)
+			return SEC_E_INVALID_HANDLE;
+
+		if (!pInput)
+			return SEC_E_INVALID_TOKEN;
+
+		if (pInput->cBuffers < 1)
+			return SEC_E_INVALID_TOKEN;
+
+		input_sec_buffer = &pInput->pBuffers[0];
+
+		if (input_sec_buffer->BufferType != SECBUFFER_TOKEN)
+			return SEC_E_INVALID_TOKEN;
+
+		if (input_sec_buffer->cbBuffer < 1)
+			return SEC_E_INVALID_TOKEN;
+
+		if (context->state == NTLM_STATE_CHALLENGE)
+		{
+			status = ntlm_read_ChallengeMessage(context, input_sec_buffer);
+
+			if (!pOutput)
+				return SEC_E_INVALID_TOKEN;
+
+			if (pOutput->cBuffers < 1)
+				return SEC_E_INVALID_TOKEN;
+
+			output_sec_buffer = &pOutput->pBuffers[0];
+
+			if (output_sec_buffer->BufferType != SECBUFFER_TOKEN)
+				return SEC_E_INVALID_TOKEN;
+
+			if (output_sec_buffer->cbBuffer < 1)
+				return SEC_E_INSUFFICIENT_MEMORY;
+
+			if (context->state == NTLM_STATE_AUTHENTICATE)
+				return ntlm_write_AuthenticateMessage(context, output_sec_buffer);
+		}
+
+		return SEC_E_OUT_OF_SEQUENCE;
 	}
 
 	return SEC_E_OK;
@@ -141,6 +278,159 @@ SECURITY_STATUS ntlm_QueryContextAttributes(CTXT_HANDLE* phContext, uint32 ulAtt
 	return SEC_E_OK;
 }
 
+SECURITY_STATUS ntlm_EncryptMessage(CTXT_HANDLE* phContext, uint32 fQOP, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo)
+{
+	int index;
+	int length;
+	void* data;
+	HMAC_CTX hmac;
+	uint8 digest[16];
+	uint8 checksum[8];
+	uint8* signature;
+	uint32 version = 1;
+	NTLM_CONTEXT* context;
+	SEC_BUFFER* data_buffer = NULL;
+	SEC_BUFFER* signature_buffer = NULL;
+
+	context = sspi_SecureHandleGetLowerPointer(phContext);
+
+	for (index = 0; index < pMessage->cBuffers; index++)
+	{
+		if (pMessage->pBuffers[index].BufferType == SECBUFFER_DATA)
+			data_buffer = &pMessage->pBuffers[index];
+		else if (pMessage->pBuffers[index].BufferType == SECBUFFER_PADDING)
+			signature_buffer = &pMessage->pBuffers[index];
+	}
+
+	if (!data_buffer)
+		return SEC_E_INVALID_TOKEN;
+
+	if (!signature_buffer)
+		return SEC_E_INVALID_TOKEN;
+
+	/* Copy original data buffer */
+	length = data_buffer->cbBuffer;
+	data = xmalloc(length);
+	memcpy(data, data_buffer->pvBuffer, length);
+
+	/* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */
+	HMAC_CTX_init(&hmac);
+	HMAC_Init_ex(&hmac, context->ClientSigningKey, 16, EVP_md5(), NULL);
+	HMAC_Update(&hmac, (void*) &(MessageSeqNo), 4);
+	HMAC_Update(&hmac, data, length);
+	HMAC_Final(&hmac, digest, NULL);
+	HMAC_CTX_cleanup(&hmac);
+
+	/* Encrypt message using with RC4, result overwrites original buffer */
+	crypto_rc4(context->send_rc4_seal, length, data, data_buffer->pvBuffer);
+	xfree(data);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("Data Buffer (length = %d)\n", length);
+	freerdp_hexdump(data, length);
+	printf("\n");
+
+	printf("Encrypted Data Buffer (length = %d)\n", data_buffer->cbBuffer);
+	freerdp_hexdump(data_buffer->pvBuffer, data_buffer->cbBuffer);
+	printf("\n");
+#endif
+
+	/* RC4-encrypt first 8 bytes of digest */
+	crypto_rc4(context->send_rc4_seal, 8, digest, checksum);
+
+	signature = (uint8*) signature_buffer->pvBuffer;
+
+	/* Concatenate version, ciphertext and sequence number to build signature */
+	memcpy(signature, (void*) &version, 4);
+	memcpy(&signature[4], (void*) checksum, 8);
+	memcpy(&signature[12], (void*) &(MessageSeqNo), 4);
+	context->send_seq_num++;
+
+#ifdef WITH_DEBUG_NTLM
+	printf("Signature (length = %d)\n", signature_buffer->cbBuffer);
+	freerdp_hexdump(signature_buffer->pvBuffer, signature_buffer->cbBuffer);
+	printf("\n");
+#endif
+
+	return SEC_E_OK;
+}
+
+SECURITY_STATUS ntlm_DecryptMessage(CTXT_HANDLE* phContext, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo, uint32* pfQOP)
+{
+	int index;
+	int length;
+	void* data;
+	HMAC_CTX hmac;
+	uint8 digest[16];
+	uint8 checksum[8];
+	uint32 version = 1;
+	NTLM_CONTEXT* context;
+	uint8 expected_signature[16];
+	SEC_BUFFER* data_buffer = NULL;
+	SEC_BUFFER* signature_buffer = NULL;
+
+	context = sspi_SecureHandleGetLowerPointer(phContext);
+
+	for (index = 0; index < pMessage->cBuffers; index++)
+	{
+		if (pMessage->pBuffers[index].BufferType == SECBUFFER_DATA)
+			data_buffer = &pMessage->pBuffers[index];
+		else if (pMessage->pBuffers[index].BufferType == SECBUFFER_PADDING)
+			signature_buffer = &pMessage->pBuffers[index];
+	}
+
+	if (!data_buffer)
+		return SEC_E_INVALID_TOKEN;
+
+	if (!signature_buffer)
+		return SEC_E_INVALID_TOKEN;
+
+	/* Copy original data buffer */
+	length = data_buffer->cbBuffer;
+	data = xmalloc(length);
+	memcpy(data, data_buffer->pvBuffer, length);
+
+	/* Decrypt message using with RC4 */
+	crypto_rc4(context->recv_rc4_seal, length, data, data_buffer->pvBuffer);
+
+	/* Compute the HMAC-MD5 hash of ConcatenationOf(seq_num,data) using the client signing key */
+	HMAC_CTX_init(&hmac);
+	HMAC_Init_ex(&hmac, context->ServerSigningKey, 16, EVP_md5(), NULL);
+	HMAC_Update(&hmac, (void*) &(MessageSeqNo), 4);
+	HMAC_Update(&hmac, data_buffer->pvBuffer, data_buffer->cbBuffer);
+	HMAC_Final(&hmac, digest, NULL);
+	HMAC_CTX_cleanup(&hmac);
+	xfree(data);
+
+	/* RC4-encrypt first 8 bytes of digest */
+	crypto_rc4(context->recv_rc4_seal, 8, digest, checksum);
+
+	/* Concatenate version, ciphertext and sequence number to build signature */
+	memcpy(expected_signature, (void*) &version, 4);
+	memcpy(&expected_signature[4], (void*) checksum, 8);
+	memcpy(&expected_signature[12], (void*) &(MessageSeqNo), 4);
+	context->recv_seq_num++;
+
+	if (memcmp(signature_buffer->pvBuffer, expected_signature, 16) != 0)
+	{
+		/* signature verification failed! */
+		printf("signature verification failed, something nasty is going on!\n");
+		return SEC_E_MESSAGE_ALTERED;
+	}
+
+	return SEC_E_OK;
+}
+
+SECURITY_STATUS ntlm_MakeSignature(CTXT_HANDLE* phContext, uint32 fQOP, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo)
+{
+	return SEC_E_OK;
+}
+
+SECURITY_STATUS ntlm_VerifySignature(CTXT_HANDLE* phContext, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo, uint32* pfQOP)
+{
+	return SEC_E_OK;
+}
+
 const SEC_PKG_INFO NTLM_SEC_PKG_INFO =
 {
 	0x00082B37, /* fCapabilities */
@@ -158,7 +448,7 @@ const SECURITY_FUNCTION_TABLE NTLM_SECURITY_FUNCTION_TABLE =
 	NULL, /* Reserved1 */
 	ntlm_QueryCredentialsAttributes, /* QueryCredentialsAttributes */
 	ntlm_AcquireCredentialsHandle, /* AcquireCredentialsHandle */
-	NULL, /* FreeCredentialsHandle */
+	ntlm_FreeCredentialsHandle, /* FreeCredentialsHandle */
 	NULL, /* Reserved2 */
 	ntlm_InitializeSecurityContext, /* InitializeSecurityContext */
 	NULL, /* AcceptSecurityContext */
@@ -168,8 +458,8 @@ const SECURITY_FUNCTION_TABLE NTLM_SECURITY_FUNCTION_TABLE =
 	ntlm_QueryContextAttributes, /* QueryContextAttributes */
 	NULL, /* ImpersonateSecurityContext */
 	NULL, /* RevertSecurityContext */
-	NULL, /* MakeSignature */
-	NULL, /* VerifySignature */
+	ntlm_MakeSignature, /* MakeSignature */
+	ntlm_VerifySignature, /* VerifySignature */
 	NULL, /* FreeContextBuffer */
 	NULL, /* QuerySecurityPackageInfo */
 	NULL, /* Reserved3 */
@@ -179,7 +469,7 @@ const SECURITY_FUNCTION_TABLE NTLM_SECURITY_FUNCTION_TABLE =
 	NULL, /* AddCredentials */
 	NULL, /* Reserved8 */
 	NULL, /* QuerySecurityContextToken */
-	NULL, /* EncryptMessage */
-	NULL, /* DecryptMessage */
+	ntlm_EncryptMessage, /* EncryptMessage */
+	ntlm_DecryptMessage, /* DecryptMessage */
 	NULL, /* SetContextAttributes */
 };

libfreerdp-auth/NTLM/ntlm.h

@@ -21,7 +21,9 @@
 #define FREERDP_AUTH_NTLM_PRIVATE_H
 
 #include <freerdp/auth/sspi.h>
-#include <freerdp/auth/credssp.h>
+#include <freerdp/crypto/crypto.h>
+
+#include <freerdp/utils/unicode.h>
 
 #include "../sspi.h"
 
@@ -35,15 +37,81 @@ enum _NTLM_STATE
 };
 typedef enum _NTLM_STATE NTLM_STATE;
 
+struct _AV_PAIR
+{
+	uint16 length;
+	uint8* value;
+};
+typedef struct _AV_PAIR AV_PAIR;
+
+struct _AV_PAIRS
+{
+	AV_PAIR NbComputerName;
+	AV_PAIR NbDomainName;
+	AV_PAIR DnsComputerName;
+	AV_PAIR DnsDomainName;
+	AV_PAIR DnsTreeName;
+	AV_PAIR Timestamp;
+	AV_PAIR Restrictions;
+	AV_PAIR TargetName;
+	AV_PAIR ChannelBindings;
+	uint32 Flags;
+};
+typedef struct _AV_PAIRS AV_PAIRS;
+
+enum _AV_ID
+{
+	MsvAvEOL,
+	MsvAvNbComputerName,
+	MsvAvNbDomainName,
+	MsvAvDnsComputerName,
+	MsvAvDnsDomainName,
+	MsvAvDnsTreeName,
+	MsvAvFlags,
+	MsvAvTimestamp,
+	MsvAvRestrictions,
+	MsvAvTargetName,
+	MsvChannelBindings
+};
+typedef enum _AV_ID AV_ID;
+
 struct _NTLM_CONTEXT
 {
 	boolean ntlm_v2;
 	NTLM_STATE state;
+	UNICONV* uniconv;
+	int send_seq_num;
+	int recv_seq_num;
+	AV_PAIRS* av_pairs;
+	CryptoRc4 send_rc4_seal;
+	CryptoRc4 recv_rc4_seal;
 	uint32 NegotiateFlags;
+	uint16* Workstation;
+	uint32 WorkstationLength;
+	SEC_AUTH_IDENTITY identity;
 	SEC_BUFFER NegotiateMessage;
 	SEC_BUFFER ChallengeMessage;
 	SEC_BUFFER AuthenticateMessage;
+	SEC_BUFFER TargetInfo;
+	SEC_BUFFER TargetName;
+	SEC_BUFFER NtChallengeResponse;
+	SEC_BUFFER LmChallengeResponse;
+	uint8 Timestamp[8];
+	uint8 ServerChallenge[8];
+	uint8 ClientChallenge[8];
+	uint8 SessionBaseKey[16];
+	uint8 KeyExchangeKey[16];
+	uint8 RandomSessionKey[16];
+	uint8 ExportedSessionKey[16];
+	uint8 EncryptedRandomSessionKey[16];
+	uint8 ClientSigningKey[16];
+	uint8 ClientSealingKey[16];
+	uint8 ServerSigningKey[16];
+	uint8 ServerSealingKey[16];
+	uint8 MessageIntegrityCheck[16];
 };
 typedef struct _NTLM_CONTEXT NTLM_CONTEXT;
 
+#define WITH_DEBUG_NTLM		1
+
 #endif /* FREERDP_AUTH_NTLM_PRIVATE_H */

libfreerdp-auth/NTLM/ntlm_compute.c

@@ -0,0 +1,900 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * NTLM Security Package (Compute)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "ntlm.h"
+#include "../sspi.h"
+
+#include <time.h>
+#include <openssl/des.h>
+#include <openssl/md4.h>
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/engine.h>
+#include <freerdp/crypto/crypto.h>
+
+#include <freerdp/utils/stream.h>
+#include <freerdp/utils/memory.h>
+#include <freerdp/utils/hexdump.h>
+
+#include "ntlm_compute.h"
+
+const char* const AV_PAIRS_STRINGS[] =
+{
+	"MsvAvEOL",
+	"MsvAvNbComputerName",
+	"MsvAvNbDomainName",
+	"MsvAvDnsComputerName",
+	"MsvAvDnsDomainName",
+	"MsvAvDnsTreeName",
+	"MsvAvFlags",
+	"MsvAvTimestamp",
+	"MsvAvRestrictions",
+	"MsvAvTargetName",
+	"MsvChannelBindings"
+};
+
+static const char lm_magic[] = "KGS!@#$%";
+
+static const char client_sign_magic[] = "session key to client-to-server signing key magic constant";
+static const char server_sign_magic[] = "session key to server-to-client signing key magic constant";
+static const char client_seal_magic[] = "session key to client-to-server sealing key magic constant";
+static const char server_seal_magic[] = "session key to server-to-client sealing key magic constant";
+
+/**
+ * Output Restriction_Encoding.\n
+ * Restriction_Encoding @msdn{cc236647}
+ * @param NTLM context
+ */
+
+void ntlm_output_restriction_encoding(NTLM_CONTEXT* context)
+{
+	STREAM* s;
+	AV_PAIR* restrictions = &context->av_pairs->Restrictions;
+
+	uint8 machineID[32] =
+		"\x3A\x15\x8E\xA6\x75\x82\xD8\xF7\x3E\x06\xFA\x7A\xB4\xDF\xFD\x43"
+		"\x84\x6C\x02\x3A\xFD\x5A\x94\xFE\xCF\x97\x0F\x3D\x19\x2C\x38\x20";
+
+	restrictions->value = xmalloc(48);
+	restrictions->length = 48;
+
+	s = stream_new(0);
+	stream_attach(s, restrictions->value, restrictions->length);
+
+	stream_write_uint32(s, 48); /* Size */
+	stream_write_zero(s, 4); /* Z4 (set to zero) */
+
+	/* IntegrityLevel (bit 31 set to 1) */
+	stream_write_uint8(s, 1);
+	stream_write_zero(s, 3);
+
+	stream_write_uint32(s, 0x00002000); /* SubjectIntegrityLevel */
+	stream_write(s, machineID, 32); /* MachineID */
+
+	xfree(s);
+}
+
+/**
+ * Output TargetName.\n
+ * @param NTLM context
+ */
+
+void ntlm_output_target_name(NTLM_CONTEXT* context)
+{
+	STREAM* s;
+	AV_PAIR* TargetName = &context->av_pairs->TargetName;
+
+	/*
+	 * TODO: No idea what should be set here (observed MsvAvTargetName = MsvAvDnsComputerName or
+	 * MsvAvTargetName should be the name of the service be accessed after authentication)
+	 * here used: "TERMSRV/192.168.0.123" in unicode (Dmitrij Jasnov)
+	 */
+	uint8 name[42] =
+			"\x54\x00\x45\x00\x52\x00\x4d\x00\x53\x00\x52\x00\x56\x00\x2f\x00\x31\x00\x39\x00\x32"
+			"\x00\x2e\x00\x31\x00\x36\x00\x38\x00\x2e\x00\x30\x00\x2e\x00\x31\x00\x32\x00\x33\x00";
+
+	TargetName->length = 42;
+	TargetName->value = (uint8*) xmalloc(TargetName->length);
+
+	s = stream_new(0);
+	stream_attach(s, TargetName->value, TargetName->length);
+
+	stream_write(s, name, TargetName->length);
+
+	xfree(s);
+}
+
+/**
+ * Output ChannelBindings.\n
+ * @param NTLM context
+ */
+
+void ntlm_output_channel_bindings(NTLM_CONTEXT* context)
+{
+	STREAM* s;
+	AV_PAIR* ChannelBindings = &context->av_pairs->ChannelBindings;
+
+	ChannelBindings->value = (uint8*) xmalloc(48);
+	ChannelBindings->length = 16;
+
+	s = stream_new(0);
+	stream_attach(s, ChannelBindings->value, ChannelBindings->length);
+
+	stream_write_zero(s, 16); /* an all-zero value of the hash is used to indicate absence of channel bindings */
+
+	xfree(s);
+}
+
+/**
+ * Input array of AV_PAIRs.\n
+ * AV_PAIR @msdn{cc236646}
+ * @param NTLM context
+ * @param s
+ */
+
+void ntlm_input_av_pairs(NTLM_CONTEXT* context, STREAM* s)
+{
+	AV_ID AvId;
+	uint16 AvLen;
+	uint8* value;
+	AV_PAIRS* av_pairs = context->av_pairs;
+
+#ifdef WITH_DEBUG_NTLM
+	printf("AV_PAIRS = {\n");
+#endif
+
+	do
+	{
+		value = NULL;
+		stream_read_uint16(s, AvId);
+		stream_read_uint16(s, AvLen);
+
+		if (AvLen > 0)
+		{
+			if (AvId != MsvAvFlags)
+			{
+				value = xmalloc(AvLen);
+				stream_read(s, value, AvLen);
+			}
+			else
+			{
+				stream_read_uint32(s, av_pairs->Flags);
+			}
+		}
+
+		switch (AvId)
+		{
+			case MsvAvNbComputerName:
+				av_pairs->NbComputerName.length = AvLen;
+				av_pairs->NbComputerName.value = value;
+				break;
+
+			case MsvAvNbDomainName:
+				av_pairs->NbDomainName.length = AvLen;
+				av_pairs->NbDomainName.value = value;
+				break;
+
+			case MsvAvDnsComputerName:
+				av_pairs->DnsComputerName.length = AvLen;
+				av_pairs->DnsComputerName.value = value;
+				break;
+
+			case MsvAvDnsDomainName:
+				av_pairs->DnsDomainName.length = AvLen;
+				av_pairs->DnsDomainName.value = value;
+				break;
+
+			case MsvAvDnsTreeName:
+				av_pairs->DnsTreeName.length = AvLen;
+				av_pairs->DnsTreeName.value = value;
+				break;
+
+			case MsvAvTimestamp:
+				av_pairs->Timestamp.length = AvLen;
+				av_pairs->Timestamp.value = value;
+				break;
+
+			case MsvAvRestrictions:
+				av_pairs->Restrictions.length = AvLen;
+				av_pairs->Restrictions.value = value;
+				break;
+
+			case MsvAvTargetName:
+				av_pairs->TargetName.length = AvLen;
+				av_pairs->TargetName.value = value;
+				break;
+
+			case MsvChannelBindings:
+				av_pairs->ChannelBindings.length = AvLen;
+				av_pairs->ChannelBindings.value = value;
+				break;
+
+			default:
+				if (value != NULL)
+					xfree(value);
+				break;
+		}
+
+#ifdef WITH_DEBUG_NTLM
+		if (AvId < 10)
+			printf("\tAvId: %s, AvLen: %d\n", AV_PAIRS_STRINGS[AvId], AvLen);
+		else
+			printf("\tAvId: %s, AvLen: %d\n", "Unknown", AvLen);
+
+		freerdp_hexdump(value, AvLen);
+#endif
+	}
+	while (AvId != MsvAvEOL);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("}\n");
+#endif
+}
+
+/**
+ * Output array of AV_PAIRs.\n
+ * AV_PAIR @msdn{cc236646}
+ * @param NTLM context
+ * @param s
+ */
+
+void ntlm_output_av_pairs(NTLM_CONTEXT* context, STREAM* s)
+{
+	AV_PAIRS* av_pairs = context->av_pairs;
+
+	if (av_pairs->NbDomainName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvNbDomainName); /* AvId */
+		stream_write_uint16(s, av_pairs->NbDomainName.length); /* AvLen */
+		stream_write(s, av_pairs->NbDomainName.value, av_pairs->NbDomainName.length); /* Value */
+	}
+
+	if (av_pairs->NbComputerName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvNbComputerName); /* AvId */
+		stream_write_uint16(s, av_pairs->NbComputerName.length); /* AvLen */
+		stream_write(s, av_pairs->NbComputerName.value, av_pairs->NbComputerName.length); /* Value */
+	}
+
+	if (av_pairs->DnsDomainName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvDnsDomainName); /* AvId */
+		stream_write_uint16(s, av_pairs->DnsDomainName.length); /* AvLen */
+		stream_write(s, av_pairs->DnsDomainName.value, av_pairs->DnsDomainName.length); /* Value */
+	}
+
+	if (av_pairs->DnsComputerName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvDnsComputerName); /* AvId */
+		stream_write_uint16(s, av_pairs->DnsComputerName.length); /* AvLen */
+		stream_write(s, av_pairs->DnsComputerName.value, av_pairs->DnsComputerName.length); /* Value */
+	}
+
+	if (av_pairs->DnsTreeName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvDnsTreeName); /* AvId */
+		stream_write_uint16(s, av_pairs->DnsTreeName.length); /* AvLen */
+		stream_write(s, av_pairs->DnsTreeName.value, av_pairs->DnsTreeName.length); /* Value */
+	}
+
+	if (av_pairs->Timestamp.length > 0)
+	{
+		stream_write_uint16(s, MsvAvTimestamp); /* AvId */
+		stream_write_uint16(s, av_pairs->Timestamp.length); /* AvLen */
+		stream_write(s, av_pairs->Timestamp.value, av_pairs->Timestamp.length); /* Value */
+	}
+
+	if (av_pairs->Flags > 0)
+	{
+		stream_write_uint16(s, MsvAvFlags); /* AvId */
+		stream_write_uint16(s, 4); /* AvLen */
+		stream_write_uint32(s, av_pairs->Flags); /* Value */
+	}
+
+	if (av_pairs->Restrictions.length > 0)
+	{
+		stream_write_uint16(s, MsvAvRestrictions); /* AvId */
+		stream_write_uint16(s, av_pairs->Restrictions.length); /* AvLen */
+		stream_write(s, av_pairs->Restrictions.value, av_pairs->Restrictions.length); /* Value */
+	}
+
+	if (av_pairs->ChannelBindings.length > 0)
+	{
+		stream_write_uint16(s, MsvChannelBindings); /* AvId */
+		stream_write_uint16(s, av_pairs->ChannelBindings.length); /* AvLen */
+		stream_write(s, av_pairs->ChannelBindings.value, av_pairs->ChannelBindings.length); /* Value */
+	}
+
+	if (av_pairs->TargetName.length > 0)
+	{
+		stream_write_uint16(s, MsvAvTargetName); /* AvId */
+		stream_write_uint16(s, av_pairs->TargetName.length); /* AvLen */
+		stream_write(s, av_pairs->TargetName.value, av_pairs->TargetName.length); /* Value */
+	}
+
+	/* This indicates the end of the AV_PAIR array */
+	stream_write_uint16(s, MsvAvEOL); /* AvId */
+	stream_write_uint16(s, 0); /* AvLen */
+
+	if (context->ntlm_v2)
+	{
+		stream_write_zero(s, 8);
+	}
+}
+
+/**
+ * Populate array of AV_PAIRs.\n
+ * AV_PAIR @msdn{cc236646}
+ * @param NTLM context
+ */
+
+void ntlm_populate_av_pairs(NTLM_CONTEXT* context)
+{
+	STREAM* s;
+	AV_PAIRS* av_pairs = context->av_pairs;
+
+	/* MsvAvFlags */
+	av_pairs->Flags = 0x00000002; /* Indicates the present of a Message Integrity Check (MIC) */
+
+	/* Restriction_Encoding */
+	ntlm_output_restriction_encoding(context);
+
+	/* TargetName */
+	ntlm_output_target_name(context);
+
+	/* ChannelBindings */
+	ntlm_output_channel_bindings(context);
+
+	s = stream_new(context->TargetInfo.cbBuffer);
+	ntlm_output_av_pairs(context, s);
+
+	sspi_SecBufferAlloc(&context->TargetInfo, s->p - s->data);
+	memcpy(context->TargetInfo.pvBuffer, s->data, context->TargetInfo.cbBuffer);
+
+	xfree(s);
+}
+
+/**
+ * Print array of AV_PAIRs.\n
+ * AV_PAIR @msdn{cc236646}
+ * @param NTLM context
+ */
+
+void ntlm_print_av_pairs(NTLM_CONTEXT* context)
+{
+	AV_PAIRS* av_pairs = context->av_pairs;
+
+	printf("AV_PAIRS = {\n");
+
+	if (av_pairs->NbDomainName.length > 0)
+	{
+		printf("\tAvId: MsvAvNbDomainName AvLen: %d\n", av_pairs->NbDomainName.length);
+		freerdp_hexdump(av_pairs->NbDomainName.value, av_pairs->NbDomainName.length);
+	}
+
+	if (av_pairs->NbComputerName.length > 0)
+	{
+		printf("\tAvId: MsvAvNbComputerName AvLen: %d\n", av_pairs->NbComputerName.length);
+		freerdp_hexdump(av_pairs->NbComputerName.value, av_pairs->NbComputerName.length);
+	}
+
+	if (av_pairs->DnsDomainName.length > 0)
+	{
+		printf("\tAvId: MsvAvDnsDomainName AvLen: %d\n", av_pairs->DnsDomainName.length);
+		freerdp_hexdump(av_pairs->DnsDomainName.value, av_pairs->DnsDomainName.length);
+	}
+
+	if (av_pairs->DnsComputerName.length > 0)
+	{
+		printf("\tAvId: MsvAvDnsComputerName AvLen: %d\n", av_pairs->DnsComputerName.length);
+		freerdp_hexdump(av_pairs->DnsComputerName.value, av_pairs->DnsComputerName.length);
+	}
+
+	if (av_pairs->DnsTreeName.length > 0)
+	{
+		printf("\tAvId: MsvAvDnsTreeName AvLen: %d\n", av_pairs->DnsTreeName.length);
+		freerdp_hexdump(av_pairs->DnsTreeName.value, av_pairs->DnsTreeName.length);
+	}
+
+	if (av_pairs->Timestamp.length > 0)
+	{
+		printf("\tAvId: MsvAvTimestamp AvLen: %d\n", av_pairs->Timestamp.length);
+		freerdp_hexdump(av_pairs->Timestamp.value, av_pairs->Timestamp.length);
+	}
+
+	if (av_pairs->Flags > 0)
+	{
+		printf("\tAvId: MsvAvFlags AvLen: %d\n", 4);
+		printf("0x%08X\n", av_pairs->Flags);
+	}
+
+	if (av_pairs->Restrictions.length > 0)
+	{
+		printf("\tAvId: MsvAvRestrictions AvLen: %d\n", av_pairs->Restrictions.length);
+		freerdp_hexdump(av_pairs->Restrictions.value, av_pairs->Restrictions.length);
+	}
+
+	if (av_pairs->ChannelBindings.length > 0)
+	{
+		printf("\tAvId: MsvChannelBindings AvLen: %d\n", av_pairs->ChannelBindings.length);
+		freerdp_hexdump(av_pairs->ChannelBindings.value, av_pairs->ChannelBindings.length);
+	}
+
+	if (av_pairs->TargetName.length > 0)
+	{
+		printf("\tAvId: MsvAvTargetName AvLen: %d\n", av_pairs->TargetName.length);
+		freerdp_hexdump(av_pairs->TargetName.value, av_pairs->TargetName.length);
+	}
+
+	printf("}\n");
+}
+
+/**
+ * Free array of AV_PAIRs.\n
+ * AV_PAIR @msdn{cc236646}
+ * @param NTLM context
+ */
+
+void ntlm_free_av_pairs(NTLM_CONTEXT* context)
+{
+	AV_PAIRS* av_pairs = context->av_pairs;
+
+	if (av_pairs != NULL)
+	{
+		if (av_pairs->NbComputerName.value != NULL)
+			xfree(av_pairs->NbComputerName.value);
+		if (av_pairs->NbDomainName.value != NULL)
+			xfree(av_pairs->NbDomainName.value);
+		if (av_pairs->DnsComputerName.value != NULL)
+			xfree(av_pairs->DnsComputerName.value);
+		if (av_pairs->DnsDomainName.value != NULL)
+			xfree(av_pairs->DnsDomainName.value);
+		if (av_pairs->DnsTreeName.value != NULL)
+			xfree(av_pairs->DnsTreeName.value);
+		if (av_pairs->Timestamp.value != NULL)
+			xfree(av_pairs->Timestamp.value);
+		if (av_pairs->Restrictions.value != NULL)
+			xfree(av_pairs->Restrictions.value);
+		if (av_pairs->TargetName.value != NULL)
+			xfree(av_pairs->TargetName.value);
+		if (av_pairs->ChannelBindings.value != NULL)
+			xfree(av_pairs->ChannelBindings.value);
+
+		xfree(av_pairs);
+	}
+
+	context->av_pairs = NULL;
+}
+
+/**
+ * Get current time, in tenths of microseconds since midnight of January 1, 1601.
+ * @param[out] timestamp 64-bit little-endian timestamp
+ */
+
+void ntlm_current_time(uint8* timestamp)
+{
+	uint64 time64;
+
+	/* Timestamp (8 bytes), represented as the number of tenths of microseconds since midnight of January 1, 1601 */
+	time64 = time(NULL) + 11644473600LL; /* Seconds since January 1, 1601 */
+	time64 *= 10000000; /* Convert timestamp to tenths of a microsecond */
+
+	memcpy(timestamp, &time64, 8); /* Copy into timestamp in little-endian */
+}
+
+/**
+ * Generate timestamp for AUTHENTICATE_MESSAGE.
+ * @param NTLM context
+ */
+
+void ntlm_generate_timestamp(NTLM_CONTEXT* context)
+{
+	ntlm_current_time(context->Timestamp);
+
+	if (context->ntlm_v2)
+	{
+		if (context->av_pairs->Timestamp.length == 8)
+		{
+			memcpy(context->av_pairs->Timestamp.value, context->Timestamp, 8);
+			return;
+		}
+	}
+	else
+	{
+		if (context->av_pairs->Timestamp.length != 8)
+		{
+			context->av_pairs->Timestamp.length = 8;
+			context->av_pairs->Timestamp.value = xmalloc(context->av_pairs->Timestamp.length);
+		}
+
+		memcpy(context->av_pairs->Timestamp.value, context->Timestamp, 8);
+	}
+}
+
+void ntlm_compute_ntlm_hash(uint16* password, uint32 length, char* hash)
+{
+	/* NTLMv1("password") = 8846F7EAEE8FB117AD06BDD830B7586C */
+
+	MD4_CTX md4_ctx;
+
+	/* Password needs to be in unicode */
+
+	/* Apply the MD4 digest algorithm on the password in unicode, the result is the NTLM hash */
+
+	MD4_Init(&md4_ctx);
+	MD4_Update(&md4_ctx, password, length);
+	MD4_Final((void*) hash, &md4_ctx);
+}
+
+void ntlm_compute_ntlm_v2_hash(NTLM_CONTEXT* context, char* hash)
+{
+	char* p;
+	SEC_BUFFER buffer;
+	char ntlm_hash[16];
+
+	sspi_SecBufferAlloc(&buffer, context->identity.UserLength + context->identity.DomainLength);
+	p = (char*) buffer.pvBuffer;
+
+	/* First, compute the NTLMv1 hash of the password */
+	ntlm_compute_ntlm_hash(context->identity.Password, context->identity.PasswordLength, ntlm_hash);
+
+	/* Concatenate(Uppercase(username),domain)*/
+	memcpy(p, context->identity.User, context->identity.UserLength);
+	freerdp_uniconv_uppercase(context->uniconv, p, context->identity.UserLength / 2);
+
+	memcpy(&p[context->identity.UserLength], context->identity.Domain, context->identity.DomainLength);
+
+	/* Compute the HMAC-MD5 hash of the above value using the NTLMv1 hash as the key, the result is the NTLMv2 hash */
+	HMAC(EVP_md5(), (void*) ntlm_hash, 16, buffer.pvBuffer, buffer.cbBuffer, (void*) hash, NULL);
+
+	sspi_SecBufferFree(&buffer);
+}
+
+void ntlm_compute_lm_v2_response(NTLM_CONTEXT* context)
+{
+	char* response;
+	char value[16];
+	char ntlm_v2_hash[16];
+
+	/* Compute the NTLMv2 hash */
+	ntlm_compute_ntlm_v2_hash(context, ntlm_v2_hash);
+
+	/* Concatenate the server and client challenges */
+	memcpy(value, context->ServerChallenge, 8);
+	memcpy(&value[8], context->ClientChallenge, 8);
+
+	sspi_SecBufferAlloc(&context->LmChallengeResponse, 24);
+	response = (char*) context->LmChallengeResponse.pvBuffer;
+
+	/* Compute the HMAC-MD5 hash of the resulting value using the NTLMv2 hash as the key */
+	HMAC(EVP_md5(), (void*) ntlm_v2_hash, 16, (void*) value, 16, (void*) response, NULL);
+
+	/* Concatenate the resulting HMAC-MD5 hash and the client challenge, giving us the LMv2 response (24 bytes) */
+	memcpy(&response[16], context->ClientChallenge, 8);
+}
+
+/**
+ * Compute NTLMv2 Response.\n
+ * NTLMv2_RESPONSE @msdn{cc236653}\n
+ * NTLMv2 Authentication @msdn{cc236700}
+ * @param NTLM context
+ */
+
+void ntlm_compute_ntlm_v2_response(NTLM_CONTEXT* context)
+{
+	uint8* blob;
+	uint8 ntlm_v2_hash[16];
+	uint8 nt_proof_str[16];
+	SEC_BUFFER ntlm_v2_temp;
+	SEC_BUFFER ntlm_v2_temp_chal;
+
+	sspi_SecBufferAlloc(&ntlm_v2_temp, context->TargetInfo.cbBuffer + 28);
+
+	memset(ntlm_v2_temp.pvBuffer, '\0', ntlm_v2_temp.cbBuffer);
+	blob = (uint8*) ntlm_v2_temp.pvBuffer;
+
+	/* Compute the NTLMv2 hash */
+	ntlm_compute_ntlm_v2_hash(context, (char*) ntlm_v2_hash);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("Password (length = %d)\n", context->identity.PasswordLength);
+	freerdp_hexdump((uint8*) context->identity.Password, context->identity.PasswordLength);
+	printf("\n");
+
+	printf("Username (length = %d)\n", context->identity.UserLength);
+	freerdp_hexdump((uint8*) context->identity.User, context->identity.UserLength);
+	printf("\n");
+
+	printf("Domain (length = %d)\n", context->identity.DomainLength);
+	freerdp_hexdump((uint8*) context->identity.Domain, context->identity.DomainLength);
+	printf("\n");
+
+	printf("Workstation (length = %d)\n", context->WorkstationLength);
+	freerdp_hexdump((uint8*) context->Workstation, context->WorkstationLength);
+	printf("\n");
+
+	printf("NTOWFv2, NTLMv2 Hash\n");
+	freerdp_hexdump(ntlm_v2_hash, 16);
+	printf("\n");
+#endif
+
+	/* Construct temp */
+	blob[0] = 1; /* RespType (1 byte) */
+	blob[1] = 1; /* HighRespType (1 byte) */
+	/* Reserved1 (2 bytes) */
+	/* Reserved2 (4 bytes) */
+	memcpy(&blob[8], context->av_pairs->Timestamp.value, 8); /* Timestamp (8 bytes) */
+	memcpy(&blob[16], context->ClientChallenge, 8); /* ClientChallenge (8 bytes) */
+	/* Reserved3 (4 bytes) */
+	memcpy(&blob[28], context->TargetInfo.pvBuffer, context->TargetInfo.cbBuffer);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("NTLMv2 Response Temp Blob\n");
+	freerdp_hexdump(ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);
+	printf("\n");
+#endif
+
+	/* Concatenate server challenge with temp */
+	sspi_SecBufferAlloc(&ntlm_v2_temp_chal, ntlm_v2_temp.cbBuffer + 8);
+	blob = (uint8*) ntlm_v2_temp_chal.pvBuffer;
+	memcpy(blob, context->ServerChallenge, 8);
+	memcpy(&blob[8], ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);
+
+	HMAC(EVP_md5(), (void*) ntlm_v2_hash, 16, ntlm_v2_temp_chal.pvBuffer,
+		ntlm_v2_temp_chal.cbBuffer, (void*) nt_proof_str, NULL);
+
+	/* NtChallengeResponse, Concatenate NTProofStr with temp */
+	sspi_SecBufferAlloc(&context->NtChallengeResponse, ntlm_v2_temp.cbBuffer + 16);
+	blob = (uint8*) context->NtChallengeResponse.pvBuffer;
+	memcpy(blob, nt_proof_str, 16);
+	memcpy(&blob[16], ntlm_v2_temp.pvBuffer, ntlm_v2_temp.cbBuffer);
+
+	/* Compute SessionBaseKey, the HMAC-MD5 hash of NTProofStr using the NTLMv2 hash as the key */
+	HMAC(EVP_md5(), (void*) ntlm_v2_hash, 16, (void*) nt_proof_str, 16, (void*) context->SessionBaseKey, NULL);
+
+	sspi_SecBufferFree(&ntlm_v2_temp);
+	sspi_SecBufferFree(&ntlm_v2_temp_chal);
+}
+
+/**
+ * Encrypt the given plain text using RC4 and the given key.
+ * @param key RC4 key
+ * @param length text length
+ * @param plaintext plain text
+ * @param ciphertext cipher text
+ */
+
+void ntlm_rc4k(uint8* key, int length, uint8* plaintext, uint8* ciphertext)
+{
+	CryptoRc4 rc4;
+
+	/* Initialize RC4 cipher with key */
+	rc4 = crypto_rc4_init((void*) key, 16);
+
+	/* Encrypt plaintext with key */
+	crypto_rc4(rc4, length, (void*) plaintext, (void*) ciphertext);
+
+	/* Free RC4 Cipher */
+	crypto_rc4_free(rc4);
+}
+
+/**
+ * Generate client challenge (8-byte nonce).
+ * @param NTLM context
+ */
+
+void ntlm_generate_client_challenge(NTLM_CONTEXT* context)
+{
+	/* ClientChallenge is used in computation of LMv2 and NTLMv2 responses */
+	crypto_nonce(context->ClientChallenge, 8);
+}
+
+/**
+ * Generate server challenge (8-byte nonce).
+ * @param NTLM context
+ */
+
+void ntlm_generate_server_challenge(NTLM_CONTEXT* context)
+{
+	crypto_nonce(context->ServerChallenge, 8);
+}
+
+/**
+ * Generate KeyExchangeKey (the 128-bit SessionBaseKey).\n
+ * @msdn{cc236710}
+ * @param NTLM context
+ */
+
+void ntlm_generate_key_exchange_key(NTLM_CONTEXT* context)
+{
+	/* In NTLMv2, KeyExchangeKey is the 128-bit SessionBaseKey */
+	memcpy(context->KeyExchangeKey, context->SessionBaseKey, 16);
+}
+
+/**
+ * Generate RandomSessionKey (16-byte nonce).
+ * @param NTLM context
+ */
+
+void ntlm_generate_random_session_key(NTLM_CONTEXT* context)
+{
+	crypto_nonce(context->RandomSessionKey, 16);
+}
+
+/**
+ * Generate ExportedSessionKey (the RandomSessionKey, exported)
+ * @param NTLM context
+ */
+
+void ntlm_generate_exported_session_key(NTLM_CONTEXT* context)
+{
+	memcpy(context->ExportedSessionKey, context->RandomSessionKey, 16);
+}
+
+/**
+ * Encrypt RandomSessionKey (RC4-encrypted RandomSessionKey, using KeyExchangeKey as the key).
+ * @param NTLM context
+ */
+
+void ntlm_encrypt_random_session_key(NTLM_CONTEXT* context)
+{
+	/* In NTLMv2, EncryptedRandomSessionKey is the ExportedSessionKey RC4-encrypted with the KeyExchangeKey */
+	ntlm_rc4k(context->KeyExchangeKey, 16, context->RandomSessionKey, context->EncryptedRandomSessionKey);
+}
+
+/**
+ * Generate signing key.\n
+ * @msdn{cc236711}
+ * @param exported_session_key ExportedSessionKey
+ * @param sign_magic Sign magic string
+ * @param signing_key Destination signing key
+ */
+
+void ntlm_generate_signing_key(uint8* exported_session_key, SEC_BUFFER* sign_magic, uint8* signing_key)
+{
+	int length;
+	uint8* value;
+	CryptoMd5 md5;
+
+	length = 16 + sign_magic->cbBuffer;
+	value = (uint8*) xmalloc(length);
+
+	/* Concatenate ExportedSessionKey with sign magic */
+	memcpy(value, exported_session_key, 16);
+	memcpy(&value[16], sign_magic->pvBuffer, sign_magic->cbBuffer);
+
+	md5 = crypto_md5_init();
+	crypto_md5_update(md5, value, length);
+	crypto_md5_final(md5, signing_key);
+
+	xfree(value);
+}
+
+/**
+ * Generate client signing key (ClientSigningKey).\n
+ * @msdn{cc236711}
+ * @param NTLM context
+ */
+
+void ntlm_generate_client_signing_key(NTLM_CONTEXT* context)
+{
+	SEC_BUFFER sign_magic;
+	sign_magic.pvBuffer = (void*) client_sign_magic;
+	sign_magic.cbBuffer = sizeof(client_sign_magic);
+	ntlm_generate_signing_key(context->ExportedSessionKey, &sign_magic, context->ClientSigningKey);
+}
+
+/**
+ * Generate server signing key (ServerSigningKey).\n
+ * @msdn{cc236711}
+ * @param NTLM context
+ */
+
+void ntlm_generate_server_signing_key(NTLM_CONTEXT* context)
+{
+	SEC_BUFFER sign_magic;
+	sign_magic.pvBuffer = (void*) server_sign_magic;
+	sign_magic.cbBuffer = sizeof(server_sign_magic);
+	ntlm_generate_signing_key(context->ExportedSessionKey, &sign_magic, context->ServerSigningKey);
+}
+
+/**
+ * Generate sealing key.\n
+ * @msdn{cc236712}
+ * @param exported_session_key ExportedSessionKey
+ * @param seal_magic Seal magic string
+ * @param sealing_key Destination sealing key
+ */
+
+void ntlm_generate_sealing_key(uint8* exported_session_key, SEC_BUFFER* seal_magic, uint8* sealing_key)
+{
+	uint8* p;
+	CryptoMd5 md5;
+	SEC_BUFFER buffer;
+
+	sspi_SecBufferAlloc(&buffer, 16 + seal_magic->cbBuffer);
+	p = (uint8*) buffer.pvBuffer;
+
+	/* Concatenate ExportedSessionKey with seal magic */
+	memcpy(p, exported_session_key, 16);
+	memcpy(&p[16], seal_magic->pvBuffer, seal_magic->cbBuffer);
+
+	md5 = crypto_md5_init();
+	crypto_md5_update(md5, buffer.pvBuffer, buffer.cbBuffer);
+	crypto_md5_final(md5, sealing_key);
+
+	sspi_SecBufferFree(&buffer);
+}
+
+/**
+ * Generate client sealing key (ClientSealingKey).\n
+ * @msdn{cc236712}
+ * @param NTLM context
+ */
+
+void ntlm_generate_client_sealing_key(NTLM_CONTEXT* context)
+{
+	SEC_BUFFER seal_magic;
+	seal_magic.pvBuffer = (void*) client_seal_magic;
+	seal_magic.cbBuffer = sizeof(client_seal_magic);
+	ntlm_generate_signing_key(context->ExportedSessionKey, &seal_magic, context->ClientSealingKey);
+}
+
+/**
+ * Generate server sealing key (ServerSealingKey).\n
+ * @msdn{cc236712}
+ * @param NTLM context
+ */
+
+void ntlm_generate_server_sealing_key(NTLM_CONTEXT* context)
+{
+	SEC_BUFFER seal_magic;
+	seal_magic.pvBuffer = (void*) server_seal_magic;
+	seal_magic.cbBuffer = sizeof(server_seal_magic);
+	ntlm_generate_signing_key(context->ExportedSessionKey, &seal_magic, context->ServerSealingKey);
+}
+
+/**
+ * Initialize RC4 stream cipher states for sealing.
+ * @param NTLM context
+ */
+
+void ntlm_init_rc4_seal_states(NTLM_CONTEXT* context)
+{
+	context->send_rc4_seal = crypto_rc4_init(context->ClientSealingKey, 16);
+	context->recv_rc4_seal = crypto_rc4_init(context->ServerSealingKey, 16);
+}
+
+void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context)
+{
+	HMAC_CTX hmac_ctx;
+
+	/*
+	 * Compute the HMAC-MD5 hash of ConcatenationOf(NEGOTIATE_MESSAGE,
+	 * CHALLENGE_MESSAGE, AUTHENTICATE_MESSAGE) using the ExportedSessionKey
+	 */
+
+	HMAC_CTX_init(&hmac_ctx);
+	HMAC_Init_ex(&hmac_ctx, context->ExportedSessionKey, 16, EVP_md5(), NULL);
+	HMAC_Update(&hmac_ctx, context->NegotiateMessage.pvBuffer, context->NegotiateMessage.cbBuffer);
+	HMAC_Update(&hmac_ctx, context->ChallengeMessage.pvBuffer, context->ChallengeMessage.cbBuffer);
+	HMAC_Update(&hmac_ctx, context->AuthenticateMessage.pvBuffer, context->AuthenticateMessage.cbBuffer);
+	HMAC_Final(&hmac_ctx, context->MessageIntegrityCheck, NULL);
+}
+

libfreerdp-auth/NTLM/ntlm_compute.h

@@ -0,0 +1,60 @@
+/**
+ * FreeRDP: A Remote Desktop Protocol Implementation
+ * NTLM Security Package (Compute)
+ *
+ * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef FREERDP_AUTH_NTLM_COMPUTE_H
+#define FREERDP_AUTH_NTLM_COMPUTE_H
+
+#include "ntlm.h"
+
+void ntlm_output_restriction_encoding(NTLM_CONTEXT* context);
+void ntlm_output_target_name(NTLM_CONTEXT* context);
+void ntlm_output_channel_bindings(NTLM_CONTEXT* context);
+
+void ntlm_input_av_pairs(NTLM_CONTEXT* context, STREAM* s);
+void ntlm_output_av_pairs(NTLM_CONTEXT* context, STREAM* s);
+void ntlm_populate_av_pairs(NTLM_CONTEXT* context);
+void ntlm_print_av_pairs(NTLM_CONTEXT* context);
+void ntlm_free_av_pairs(NTLM_CONTEXT* context);
+
+void ntlm_current_time(uint8* timestamp);
+void ntlm_generate_timestamp(NTLM_CONTEXT* context);
+
+void ntlm_compute_ntlm_hash(uint16* password, uint32 length, char* hash);
+void ntlm_compute_ntlm_v2_hash(NTLM_CONTEXT* context, char* hash);
+void ntlm_compute_lm_v2_response(NTLM_CONTEXT* context);
+void ntlm_compute_ntlm_v2_response(NTLM_CONTEXT* context);
+
+void ntlm_rc4k(uint8* key, int length, uint8* plaintext, uint8* ciphertext);
+void ntlm_generate_client_challenge(NTLM_CONTEXT* context);
+void ntlm_generate_server_challenge(NTLM_CONTEXT* context);
+void ntlm_generate_key_exchange_key(NTLM_CONTEXT* context);
+void ntlm_generate_random_session_key(NTLM_CONTEXT* context);
+void ntlm_generate_exported_session_key(NTLM_CONTEXT* context);
+void ntlm_encrypt_random_session_key(NTLM_CONTEXT* context);
+
+void ntlm_generate_client_signing_key(NTLM_CONTEXT* context);
+void ntlm_generate_server_signing_key(NTLM_CONTEXT* context);
+void ntlm_generate_client_sealing_key(NTLM_CONTEXT* context);
+void ntlm_generate_server_sealing_key(NTLM_CONTEXT* context);
+void ntlm_init_rc4_seal_states(NTLM_CONTEXT* context);
+
+void ntlm_compute_message_integrity_check(NTLM_CONTEXT* context);
+
+#endif /*  FREERDP_AUTH_NTLM_COMPUTE_H */
+

libfreerdp-auth/NTLM/ntlm_message.c

@@ -21,6 +21,9 @@
 #include "../sspi.h"
 
 #include <freerdp/utils/stream.h>
+#include <freerdp/utils/hexdump.h>
+
+#include "ntlm_compute.h"
 
 #include "ntlm_message.h"
 
@@ -70,6 +73,42 @@
 
 static const char NTLM_SIGNATURE[] = "NTLMSSP";
 
+static const char* const NTLM_NEGOTIATE_STRINGS[] =
+{
+	"NTLMSSP_NEGOTIATE_56",
+	"NTLMSSP_NEGOTIATE_KEY_EXCH",
+	"NTLMSSP_NEGOTIATE_128",
+	"NTLMSSP_RESERVED1",
+	"NTLMSSP_RESERVED2",
+	"NTLMSSP_RESERVED3",
+	"NTLMSSP_NEGOTIATE_VERSION",
+	"NTLMSSP_RESERVED4",
+	"NTLMSSP_NEGOTIATE_TARGET_INFO",
+	"NTLMSSP_REQUEST_NON_NT_SESSION_KEY",
+	"NTLMSSP_RESERVED5",
+	"NTLMSSP_NEGOTIATE_IDENTIFY",
+	"NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY",
+	"NTLMSSP_RESERVED6",
+	"NTLMSSP_TARGET_TYPE_SERVER",
+	"NTLMSSP_TARGET_TYPE_DOMAIN",
+	"NTLMSSP_NEGOTIATE_ALWAYS_SIGN",
+	"NTLMSSP_RESERVED7",
+	"NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED",
+	"NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED",
+	"NTLMSSP_NEGOTIATE_ANONYMOUS",
+	"NTLMSSP_RESERVED8",
+	"NTLMSSP_NEGOTIATE_NTLM",
+	"NTLMSSP_RESERVED9",
+	"NTLMSSP_NEGOTIATE_LM_KEY",
+	"NTLMSSP_NEGOTIATE_DATAGRAM",
+	"NTLMSSP_NEGOTIATE_SEAL",
+	"NTLMSSP_NEGOTIATE_SIGN",
+	"NTLMSSP_RESERVED10",
+	"NTLMSSP_REQUEST_TARGET",
+	"NTLMSSP_NEGOTIATE_OEM",
+	"NTLMSSP_NEGOTIATE_UNICODE"
+};
+
 /**
  * Output VERSION structure.\n
  * VERSION @msdn{cc236654}
@@ -87,6 +126,25 @@ void ntlm_output_version(STREAM* s)
 	stream_write_uint8(s, NTLMSSP_REVISION_W2K3); /* NTLMRevisionCurrent (1 byte) */
 }
 
+void ntlm_print_negotiate_flags(uint32 flags)
+{
+	int i;
+	const char* str;
+
+	printf("negotiateFlags \"0x%08X\"{\n", flags);
+
+	for (i = 31; i >= 0; i--)
+	{
+		if ((flags >> i) & 1)
+		{
+			str = NTLM_NEGOTIATE_STRINGS[(31 - i)];
+			printf("\t%s (%d),\n", str, (31 - i));
+		}
+	}
+
+	printf("}\n");
+}
+
 SECURITY_STATUS ntlm_write_NegotiateMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer)
 {
 	STREAM* s;
@@ -150,15 +208,468 @@ SECURITY_STATUS ntlm_write_NegotiateMessage(NTLM_CONTEXT* context, SEC_BUFFER* b
 	{
 		/* Only present if NTLMSSP_NEGOTIATE_VERSION is set */
 		ntlm_output_version(s);
+
+#ifdef WITH_DEBUG_NTLM
+		printf("Version (length = 8)\n");
+		freerdp_hexdump((s->p - 8), 8);
+		printf("\n");
+#endif
 	}
 
 	length = s->p - s->data;
 	buffer->cbBuffer = length;
 
-	//freerdp_blob_alloc(&context->negotiate_message, length);
-	//memcpy(context->negotiate_message.data, s->data, length);
+	sspi_SecBufferAlloc(&context->NegotiateMessage, length);
+	memcpy(context->NegotiateMessage.pvBuffer, buffer->pvBuffer, buffer->cbBuffer);
+	context->NegotiateMessage.BufferType = buffer->BufferType;
+
+#ifdef WITH_DEBUG_NTLM
+	printf("NEGOTIATE_MESSAGE (length = %d)\n", length);
+	freerdp_hexdump(s->data, length);
+	printf("\n");
+#endif
 
 	context->state = NTLM_STATE_CHALLENGE;
 
 	return SEC_I_CONTINUE_NEEDED;
 }
+
+SECURITY_STATUS ntlm_read_ChallengeMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer)
+{
+	uint8* p;
+	STREAM* s;
+	int length;
+	char signature[8];
+	uint32 messageType;
+	uint8* start_offset;
+	uint8* payload_offset;
+	uint16 targetNameLen;
+	uint16 targetNameMaxLen;
+	uint32 targetNameBufferOffset;
+	uint16 targetInfoLen;
+	uint16 targetInfoMaxLen;
+	uint32 targetInfoBufferOffset;
+
+	s = stream_new(0);
+	stream_attach(s, buffer->pvBuffer, buffer->cbBuffer);
+
+	stream_read(s, signature, 8);
+	stream_read_uint32(s, messageType);
+
+	if (memcmp(signature, NTLM_SIGNATURE, 8) != 0)
+	{
+		printf("Unexpected NTLM signature: %s, expected:%s\n", signature, NTLM_SIGNATURE);
+		return SEC_E_INVALID_TOKEN;
+	}
+
+	start_offset = s->p - 12;
+
+	/* TargetNameFields (8 bytes) */
+	stream_read_uint16(s, targetNameLen); /* TargetNameLen (2 bytes) */
+	stream_read_uint16(s, targetNameMaxLen); /* TargetNameMaxLen (2 bytes) */
+	stream_read_uint32(s, targetNameBufferOffset); /* TargetNameBufferOffset (4 bytes) */
+
+	stream_read_uint32(s, context->NegotiateFlags); /* NegotiateFlags (4 bytes) */
+
+#ifdef WITH_DEBUG_NTLM
+	ntlm_print_negotiate_flags(context->NegotiateFlags);
+#endif
+
+	stream_read(s, context->ServerChallenge, 8); /* ServerChallenge (8 bytes) */
+	stream_seek(s, 8); /* Reserved (8 bytes), should be ignored */
+
+	/* TargetInfoFields (8 bytes) */
+	stream_read_uint16(s, targetInfoLen); /* TargetInfoLen (2 bytes) */
+	stream_read_uint16(s, targetInfoMaxLen); /* TargetInfoMaxLen (2 bytes) */
+	stream_read_uint32(s, targetInfoBufferOffset); /* TargetInfoBufferOffset (4 bytes) */
+
+	/* only present if NTLMSSP_NEGOTIATE_VERSION is set */
+
+	if (context->NegotiateFlags & NTLMSSP_NEGOTIATE_VERSION)
+	{
+		stream_seek(s, 8); /* Version (8 bytes), can be ignored */
+	}
+
+	/* Payload (variable) */
+	payload_offset = s->p;
+
+	if (targetNameLen > 0)
+	{
+		p = start_offset + targetNameBufferOffset;
+		sspi_SecBufferAlloc(&context->TargetName, targetNameLen);
+		memcpy(context->TargetName.pvBuffer, p, targetNameLen);
+
+#ifdef WITH_DEBUG_NTLM
+		printf("TargetName (length = %d, offset = %d)\n", targetNameLen, targetNameBufferOffset);
+		freerdp_hexdump(context->TargetName.pvBuffer, context->TargetName.cbBuffer);
+		printf("\n");
+#endif
+	}
+
+	if (targetInfoLen > 0)
+	{
+		p = start_offset + targetInfoBufferOffset;
+		sspi_SecBufferAlloc(&context->TargetInfo, targetInfoLen);
+		memcpy(context->TargetInfo.pvBuffer, p, targetInfoLen);
+
+#ifdef WITH_DEBUG_NTLM
+		printf("TargetInfo (length = %d, offset = %d)\n", targetInfoLen, targetInfoBufferOffset);
+		freerdp_hexdump(context->TargetInfo.pvBuffer, context->TargetInfo.cbBuffer);
+		printf("\n");
+#endif
+
+		if (context->ntlm_v2)
+		{
+			s->p = p;
+			ntlm_input_av_pairs(context, s);
+		}
+	}
+
+	length = (payload_offset - start_offset) + targetNameLen + targetInfoLen;
+
+	sspi_SecBufferAlloc(&context->ChallengeMessage, length);
+	memcpy(context->ChallengeMessage.pvBuffer, start_offset, length);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("CHALLENGE_MESSAGE (length = %d)\n", length);
+	freerdp_hexdump(context->ChallengeMessage.pvBuffer, context->ChallengeMessage.cbBuffer);
+	printf("\n");
+#endif
+
+	/* AV_PAIRs */
+	if (context->ntlm_v2)
+		ntlm_populate_av_pairs(context);
+
+	/* Timestamp */
+	ntlm_generate_timestamp(context);
+
+	/* LmChallengeResponse */
+	ntlm_compute_lm_v2_response(context);
+
+	if (context->ntlm_v2)
+		memset(context->LmChallengeResponse.pvBuffer, 0, context->LmChallengeResponse.cbBuffer);
+
+	/* NtChallengeResponse */
+	ntlm_compute_ntlm_v2_response(context);
+
+	/* KeyExchangeKey */
+	ntlm_generate_key_exchange_key(context);
+
+	/* EncryptedRandomSessionKey */
+	ntlm_encrypt_random_session_key(context);
+
+	/* Generate signing keys */
+	ntlm_generate_client_signing_key(context);
+	ntlm_generate_server_signing_key(context);
+
+	/* Generate sealing keys */
+	ntlm_generate_client_sealing_key(context);
+	ntlm_generate_server_sealing_key(context);
+
+	/* Initialize RC4 seal state using client sealing key */
+	ntlm_init_rc4_seal_states(context);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("ClientChallenge\n");
+	freerdp_hexdump(context->ClientChallenge, 8);
+	printf("\n");
+
+	printf("ServerChallenge\n");
+	freerdp_hexdump(context->ServerChallenge, 8);
+	printf("\n");
+
+	printf("SessionBaseKey\n");
+	freerdp_hexdump(context->SessionBaseKey, 16);
+	printf("\n");
+
+	printf("KeyExchangeKey\n");
+	freerdp_hexdump(context->KeyExchangeKey, 16);
+	printf("\n");
+
+	printf("ExportedSessionKey\n");
+	freerdp_hexdump(context->ExportedSessionKey, 16);
+	printf("\n");
+
+	printf("RandomSessionKey\n");
+	freerdp_hexdump(context->RandomSessionKey, 16);
+	printf("\n");
+
+	printf("ClientSignKey\n");
+	freerdp_hexdump(context->ClientSigningKey, 16);
+	printf("\n");
+
+	printf("ClientSealingKey\n");
+	freerdp_hexdump(context->ClientSealingKey, 16);
+	printf("\n");
+
+	printf("Timestamp\n");
+	freerdp_hexdump(context->Timestamp, 8);
+	printf("\n");
+#endif
+
+	context->state = NTLM_STATE_AUTHENTICATE;
+
+	return SEC_I_CONTINUE_NEEDED;
+}
+
+/**
+ * Send NTLMSSP AUTHENTICATE_MESSAGE.\n
+ * AUTHENTICATE_MESSAGE @msdn{cc236643}
+ * @param NTLM context
+ * @param buffer
+ */
+
+SECURITY_STATUS ntlm_write_AuthenticateMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer)
+{
+	STREAM* s;
+	int length;
+	uint8* mic_offset = NULL;
+	uint32 negotiateFlags = 0;
+
+	uint16 DomainNameLen;
+	uint16 UserNameLen;
+	uint16 WorkstationLen;
+	uint16 LmChallengeResponseLen;
+	uint16 NtChallengeResponseLen;
+	uint16 EncryptedRandomSessionKeyLen;
+
+	uint32 PayloadBufferOffset;
+	uint32 DomainNameBufferOffset;
+	uint32 UserNameBufferOffset;
+	uint32 WorkstationBufferOffset;
+	uint32 LmChallengeResponseBufferOffset;
+	uint32 NtChallengeResponseBufferOffset;
+	uint32 EncryptedRandomSessionKeyBufferOffset;
+
+	uint8* UserNameBuffer;
+	uint8* DomainNameBuffer;
+	uint8* WorkstationBuffer;
+	uint8* EncryptedRandomSessionKeyBuffer;
+
+	WorkstationLen = context->WorkstationLength;
+	WorkstationBuffer = (uint8*) context->Workstation;
+
+	s = stream_new(0);
+	stream_attach(s, buffer->pvBuffer, buffer->cbBuffer);
+
+	if (context->ntlm_v2 < 1)
+		WorkstationLen = 0;
+
+	DomainNameLen = context->identity.DomainLength;
+	DomainNameBuffer = (uint8*) context->identity.Domain;
+
+	UserNameLen = context->identity.UserLength;
+	UserNameBuffer = (uint8*) context->identity.User;
+
+	LmChallengeResponseLen = context->LmChallengeResponse.cbBuffer;
+	NtChallengeResponseLen = context->NtChallengeResponse.cbBuffer;
+
+	EncryptedRandomSessionKeyLen = 16;
+	EncryptedRandomSessionKeyBuffer = context->EncryptedRandomSessionKey;
+
+	if (context->ntlm_v2)
+	{
+		/* observed: 35 82 88 e2 (0xE2888235) */
+		negotiateFlags |= NTLMSSP_NEGOTIATE_56;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_128;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_VERSION;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_TARGET_INFO;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_NTLM;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_SEAL;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_SIGN;
+		negotiateFlags |= NTLMSSP_REQUEST_TARGET;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_UNICODE;
+	}
+	else
+	{
+		negotiateFlags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_128;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_NTLM;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_SEAL;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_SIGN;
+		negotiateFlags |= NTLMSSP_REQUEST_TARGET;
+		negotiateFlags |= NTLMSSP_NEGOTIATE_UNICODE;
+	}
+
+	if (context->ntlm_v2)
+		PayloadBufferOffset = 80; /* starting buffer offset */
+	else
+		PayloadBufferOffset = 64; /* starting buffer offset */
+
+	if (negotiateFlags & NTLMSSP_NEGOTIATE_VERSION)
+		PayloadBufferOffset += 8;
+
+	DomainNameBufferOffset = PayloadBufferOffset;
+	UserNameBufferOffset = DomainNameBufferOffset + DomainNameLen;
+	WorkstationBufferOffset = UserNameBufferOffset + UserNameLen;
+	LmChallengeResponseBufferOffset = WorkstationBufferOffset + WorkstationLen;
+	NtChallengeResponseBufferOffset = LmChallengeResponseBufferOffset + LmChallengeResponseLen;
+	EncryptedRandomSessionKeyBufferOffset = NtChallengeResponseBufferOffset + NtChallengeResponseLen;
+
+	stream_write(s, NTLM_SIGNATURE, 8); /* Signature (8 bytes) */
+	stream_write_uint32(s, MESSAGE_TYPE_AUTHENTICATE); /* MessageType */
+
+	/* LmChallengeResponseFields (8 bytes) */
+	stream_write_uint16(s, LmChallengeResponseLen); /* LmChallengeResponseLen */
+	stream_write_uint16(s, LmChallengeResponseLen); /* LmChallengeResponseMaxLen */
+	stream_write_uint32(s, LmChallengeResponseBufferOffset); /* LmChallengeResponseBufferOffset */
+
+	/* NtChallengeResponseFields (8 bytes) */
+	stream_write_uint16(s, NtChallengeResponseLen); /* NtChallengeResponseLen */
+	stream_write_uint16(s, NtChallengeResponseLen); /* NtChallengeResponseMaxLen */
+	stream_write_uint32(s, NtChallengeResponseBufferOffset); /* NtChallengeResponseBufferOffset */
+
+	/* only set if NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED is set */
+
+	/* DomainNameFields (8 bytes) */
+	stream_write_uint16(s, DomainNameLen); /* DomainNameLen */
+	stream_write_uint16(s, DomainNameLen); /* DomainNameMaxLen */
+	stream_write_uint32(s, DomainNameBufferOffset); /* DomainNameBufferOffset */
+
+	/* UserNameFields (8 bytes) */
+	stream_write_uint16(s, UserNameLen); /* UserNameLen */
+	stream_write_uint16(s, UserNameLen); /* UserNameMaxLen */
+	stream_write_uint32(s, UserNameBufferOffset); /* UserNameBufferOffset */
+
+	/* only set if NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED is set */
+
+	/* WorkstationFields (8 bytes) */
+	stream_write_uint16(s, WorkstationLen); /* WorkstationLen */
+	stream_write_uint16(s, WorkstationLen); /* WorkstationMaxLen */
+	stream_write_uint32(s, WorkstationBufferOffset); /* WorkstationBufferOffset */
+
+	/* EncryptedRandomSessionKeyFields (8 bytes) */
+	stream_write_uint16(s, EncryptedRandomSessionKeyLen); /* EncryptedRandomSessionKeyLen */
+	stream_write_uint16(s, EncryptedRandomSessionKeyLen); /* EncryptedRandomSessionKeyMaxLen */
+	stream_write_uint32(s, EncryptedRandomSessionKeyBufferOffset); /* EncryptedRandomSessionKeyBufferOffset */
+
+	stream_write_uint32(s, negotiateFlags); /* NegotiateFlags (4 bytes) */
+
+#ifdef WITH_DEBUG_NTLM
+	ntlm_print_negotiate_flags(negotiateFlags);
+#endif
+
+	if (negotiateFlags & NTLMSSP_NEGOTIATE_VERSION)
+	{
+		/* Only present if NTLMSSP_NEGOTIATE_VERSION is set */
+		ntlm_output_version(s);
+
+#ifdef WITH_DEBUG_NTLM
+		printf("Version (length = 8)\n");
+		freerdp_hexdump((s->p - 8), 8);
+		printf("\n");
+#endif
+	}
+
+	if (context->ntlm_v2)
+	{
+		/* Message Integrity Check */
+		mic_offset = s->p;
+		stream_write_zero(s, 16);
+	}
+
+	/* DomainName */
+	if (DomainNameLen > 0)
+	{
+		stream_write(s, DomainNameBuffer, DomainNameLen);
+#ifdef WITH_DEBUG_NTLM
+		printf("DomainName (length = %d, offset = %d)\n", DomainNameLen, DomainNameBufferOffset);
+		freerdp_hexdump(DomainNameBuffer, DomainNameLen);
+		printf("\n");
+#endif
+	}
+
+	/* UserName */
+	stream_write(s, UserNameBuffer, UserNameLen);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("UserName (length = %d, offset = %d)\n", UserNameLen, UserNameBufferOffset);
+	freerdp_hexdump(UserNameBuffer, UserNameLen);
+	printf("\n");
+#endif
+
+	/* Workstation */
+	if (WorkstationLen > 0)
+	{
+		stream_write(s, WorkstationBuffer, WorkstationLen);
+#ifdef WITH_DEBUG_NTLM
+		printf("Workstation (length = %d, offset = %d)\n", WorkstationLen, WorkstationBufferOffset);
+		freerdp_hexdump(WorkstationBuffer, WorkstationLen);
+		printf("\n");
+#endif
+	}
+
+	/* LmChallengeResponse */
+	stream_write(s, context->LmChallengeResponse.pvBuffer, LmChallengeResponseLen);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("LmChallengeResponse (length = %d, offset = %d)\n", LmChallengeResponseLen, LmChallengeResponseBufferOffset);
+	freerdp_hexdump(context->LmChallengeResponse.pvBuffer, LmChallengeResponseLen);
+	printf("\n");
+#endif
+
+	/* NtChallengeResponse */
+	stream_write(s, context->NtChallengeResponse.pvBuffer, NtChallengeResponseLen);
+
+#ifdef WITH_DEBUG_NTLM
+	if (context->ntlm_v2)
+	{
+		ntlm_print_av_pairs(context);
+
+		printf("targetInfo (length = %d)\n", context->TargetInfo.cbBuffer);
+		freerdp_hexdump(context->TargetInfo.pvBuffer, context->TargetInfo.cbBuffer);
+		printf("\n");
+	}
+#endif
+
+#ifdef WITH_DEBUG_NTLM
+	printf("NtChallengeResponse (length = %d, offset = %d)\n", NtChallengeResponseLen, NtChallengeResponseBufferOffset);
+	freerdp_hexdump(context->NtChallengeResponse.pvBuffer, NtChallengeResponseLen);
+	printf("\n");
+#endif
+
+	/* EncryptedRandomSessionKey */
+	stream_write(s, EncryptedRandomSessionKeyBuffer, EncryptedRandomSessionKeyLen);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("EncryptedRandomSessionKey (length = %d, offset = %d)\n", EncryptedRandomSessionKeyLen, EncryptedRandomSessionKeyBufferOffset);
+	freerdp_hexdump(EncryptedRandomSessionKeyBuffer, EncryptedRandomSessionKeyLen);
+	printf("\n");
+#endif
+
+	length = s->p - s->data;
+	sspi_SecBufferAlloc(&context->AuthenticateMessage, length);
+	memcpy(context->AuthenticateMessage.pvBuffer, s->data, length);
+	buffer->cbBuffer = length;
+
+	if (context->ntlm_v2)
+	{
+		/* Message Integrity Check */
+		ntlm_compute_message_integrity_check(context);
+
+		s->p = mic_offset;
+		stream_write(s, context->MessageIntegrityCheck, 16);
+		s->p = s->data + length;
+
+#ifdef WITH_DEBUG_NTLM
+		printf("MessageIntegrityCheck (length = 16)\n");
+		freerdp_hexdump(mic_offset, 16);
+		printf("\n");
+#endif
+	}
+
+#ifdef WITH_DEBUG_NTLM
+	printf("AUTHENTICATE_MESSAGE (length = %d)\n", length);
+	freerdp_hexdump(s->data, length);
+	printf("\n");
+#endif
+
+	context->state = NTLM_STATE_FINAL;
+
+	return SEC_I_COMPLETE_NEEDED;
+}

libfreerdp-auth/NTLM/ntlm_message.h

@@ -17,6 +17,13 @@
  * limitations under the License.
  */
 
+#ifndef FREERDP_AUTH_NTLM_MESSAGE_H
+#define FREERDP_AUTH_NTLM_MESSAGE_H
+
 #include "ntlm.h"
 
 SECURITY_STATUS ntlm_write_NegotiateMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer);
+SECURITY_STATUS ntlm_read_ChallengeMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer);
+SECURITY_STATUS ntlm_write_AuthenticateMessage(NTLM_CONTEXT* context, SEC_BUFFER* buffer);
+
+#endif /* FREERDP_AUTH_NTLM_MESSAGE_H */

libfreerdp-auth/credssp.c

@@ -29,6 +29,8 @@
 #include <freerdp/auth/sspi.h>
 #include <freerdp/auth/credssp.h>
 
+//#define WITH_SSPI		1
+
 /**
  * TSRequest ::= SEQUENCE {
  * 	version    [0] INTEGER,
@@ -142,6 +144,8 @@ int credssp_ntlmssp_server_init(rdpCredssp* credssp)
  * @return 1 if authentication is successful
  */
 
+#ifndef WITH_SSPI
+
 int credssp_client_authenticate(rdpCredssp* credssp)
 {
 	NTLMSSP* ntlmssp = credssp->ntlmssp;
@@ -202,6 +206,306 @@ int credssp_client_authenticate(rdpCredssp* credssp)
 	return 1;
 }
 
+#else
+
+#define NTLM_PACKAGE_NAME		"NTLM"
+
+int credssp_client_authenticate(rdpCredssp* credssp)
+{
+	uint32 cbMaxLen;
+	uint32 fContextReq;
+	CTXT_HANDLE context;
+	uint32 pfContextAttr;
+	SECURITY_STATUS status;
+	CRED_HANDLE credentials;
+	SEC_TIMESTAMP expiration;
+	SEC_PKG_INFO* pPackageInfo;
+	SEC_AUTH_IDENTITY identity;
+	SEC_BUFFER* p_sec_buffer;
+	SEC_BUFFER input_sec_buffer;
+	SEC_BUFFER output_sec_buffer;
+	SEC_BUFFER_DESC input_sec_buffer_desc;
+	SEC_BUFFER_DESC output_sec_buffer_desc;
+	boolean have_context;
+	boolean have_input_buffer;
+	boolean have_pub_key_auth;
+	SECURITY_FUNCTION_TABLE* table;
+	rdpSettings* settings = credssp->settings;
+
+	sspi_GlobalInit();
+
+	if (credssp_ntlmssp_client_init(credssp) == 0)
+		return 0;
+
+	table = InitSecurityInterface();
+
+	status = QuerySecurityPackageInfo(NTLM_PACKAGE_NAME, &pPackageInfo);
+
+	if (status != SEC_E_OK)
+	{
+		printf("QuerySecurityPackageInfo status: 0x%08X\n", status);
+		return 0;
+	}
+
+	cbMaxLen = pPackageInfo->cbMaxToken;
+
+	identity.User = (uint16*) xstrdup(settings->username);
+	identity.UserLength = strlen(settings->username);
+
+	if (settings->domain)
+	{
+		identity.Domain = (uint16*) xstrdup(settings->domain);
+		identity.DomainLength = strlen(settings->domain);
+	}
+	else
+	{
+		identity.Domain = (uint16*) NULL;
+		identity.DomainLength = 0;
+	}
+
+	identity.Password = (uint16*) xstrdup(settings->password);
+	identity.PasswordLength = strlen(settings->password);
+
+	identity.Flags = SEC_AUTH_IDENTITY_ANSI;
+
+	status = table->AcquireCredentialsHandle(NULL, NTLM_PACKAGE_NAME,
+			SECPKG_CRED_OUTBOUND, NULL, &identity, NULL, NULL, &credentials, &expiration);
+
+	if (status != SEC_E_OK)
+	{
+		printf("AcquireCredentialsHandle status: 0x%08X\n", status);
+		return 0;
+	}
+
+	have_context = false;
+	have_input_buffer = false;
+	have_pub_key_auth = false;
+	memset(&input_sec_buffer, 0, sizeof(SEC_BUFFER));
+	memset(&output_sec_buffer, 0, sizeof(SEC_BUFFER));
+
+	fContextReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT |
+			ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE;
+
+	while (true)
+	{
+		output_sec_buffer_desc.ulVersion = SECBUFFER_VERSION;
+		output_sec_buffer_desc.cBuffers = 1;
+		output_sec_buffer_desc.pBuffers = &output_sec_buffer;
+		output_sec_buffer.BufferType = SECBUFFER_TOKEN;
+		output_sec_buffer.cbBuffer = cbMaxLen;
+		output_sec_buffer.pvBuffer = xmalloc(output_sec_buffer.cbBuffer);
+
+		status = table->InitializeSecurityContext(&credentials,
+				(have_context) ? &context : NULL,
+				NULL, fContextReq, 0, SECURITY_NATIVE_DREP,
+				(have_input_buffer) ? &input_sec_buffer_desc : NULL,
+				0, &context, &output_sec_buffer_desc, &pfContextAttr, &expiration);
+
+		if (input_sec_buffer.pvBuffer != NULL)
+		{
+			xfree(input_sec_buffer.pvBuffer);
+			input_sec_buffer.pvBuffer = NULL;
+		}
+
+		if ((status == SEC_I_COMPLETE_AND_CONTINUE) || (status == SEC_I_COMPLETE_NEEDED))
+		{
+			if (table->CompleteAuthToken != NULL)
+				table->CompleteAuthToken(&context, &output_sec_buffer_desc);
+
+			have_pub_key_auth = true;
+
+			if (have_pub_key_auth)
+			{
+				uint8* p;
+				SEC_BUFFER Buffers[2];
+				SEC_BUFFER_DESC Message;
+
+				Buffers[0].BufferType = SECBUFFER_DATA; /* TLS Public Key */
+				Buffers[1].BufferType = SECBUFFER_PADDING; /* Signature */
+
+				Buffers[0].cbBuffer = credssp->tls->public_key.length;
+				Buffers[0].pvBuffer = xmalloc(Buffers[0].cbBuffer);
+				memcpy(Buffers[0].pvBuffer, credssp->tls->public_key.data, Buffers[0].cbBuffer);
+
+				Buffers[1].cbBuffer = 16;
+				Buffers[1].pvBuffer = xzalloc(Buffers[1].cbBuffer);
+
+				Message.cBuffers = 2;
+				Message.ulVersion = SECBUFFER_VERSION;
+				Message.pBuffers = (SEC_BUFFER*) &Buffers;
+
+				freerdp_blob_alloc(&credssp->pubKeyAuth, Buffers[0].cbBuffer + Buffers[1].cbBuffer);
+
+				table->EncryptMessage(&context, 0, &Message, 0);
+
+				p = (uint8*) credssp->pubKeyAuth.data;
+				memcpy(p, Buffers[1].pvBuffer, Buffers[1].cbBuffer); /* Message Signature */
+				memcpy(&p[Buffers[1].cbBuffer], Buffers[0].pvBuffer, Buffers[0].cbBuffer); /* Encrypted Public Key */
+			}
+
+			if (status == SEC_I_COMPLETE_NEEDED)
+				status = SEC_E_OK;
+			else if (status == SEC_I_COMPLETE_AND_CONTINUE)
+				status = SEC_I_CONTINUE_NEEDED;
+		}
+
+		/* send authentication token to server */
+
+		if (output_sec_buffer.cbBuffer > 0)
+		{
+			p_sec_buffer = &output_sec_buffer_desc.pBuffers[0];
+
+			credssp->negoToken.data = p_sec_buffer->pvBuffer;
+			credssp->negoToken.length = p_sec_buffer->cbBuffer;
+
+			printf("Sending Authentication Token\n");
+			freerdp_hexdump(credssp->negoToken.data, credssp->negoToken.length);
+
+			credssp_send(credssp, &credssp->negoToken, NULL,
+					(have_pub_key_auth) ? &credssp->pubKeyAuth : NULL);
+
+			if (have_pub_key_auth)
+			{
+				have_pub_key_auth = false;
+				freerdp_blob_free(&credssp->pubKeyAuth);
+			}
+
+			xfree(output_sec_buffer.pvBuffer);
+			output_sec_buffer.pvBuffer = NULL;
+		}
+
+		if (status != SEC_I_CONTINUE_NEEDED)
+			break;
+
+		/* receive server response and place in input buffer */
+
+		input_sec_buffer_desc.ulVersion = SECBUFFER_VERSION;
+		input_sec_buffer_desc.cBuffers = 1;
+		input_sec_buffer_desc.pBuffers = &input_sec_buffer;
+		input_sec_buffer.BufferType = SECBUFFER_TOKEN;
+
+		if (credssp_recv(credssp, &credssp->negoToken, NULL, NULL) < 0)
+			return -1;
+
+		printf("Receiving Authentication Token\n");
+		freerdp_hexdump(credssp->negoToken.data, credssp->negoToken.length);
+
+		p_sec_buffer = &input_sec_buffer_desc.pBuffers[0];
+		p_sec_buffer->pvBuffer = credssp->negoToken.data;
+		p_sec_buffer->cbBuffer = credssp->negoToken.length;
+
+		have_input_buffer = true;
+		have_context = true;
+	}
+
+	/* Encrypted Public Key +1 */
+	if (credssp_recv(credssp, &credssp->negoToken, NULL, &credssp->pubKeyAuth) < 0)
+		return -1;
+
+	/* Verify Server Public Key Echo */
+
+	{
+		int length;
+		uint32 pfQOP;
+		uint8* public_key1;
+		uint8* public_key2;
+		uint8* pub_key_auth;
+		int public_key_length;
+		SEC_BUFFER Buffers[2];
+		SEC_BUFFER_DESC Message;
+
+		length = credssp->pubKeyAuth.length;
+		pub_key_auth = (uint8*) credssp->pubKeyAuth.data;
+		public_key_length = credssp->tls->public_key.length;
+
+		Buffers[0].BufferType = SECBUFFER_PADDING; /* Signature */
+		Buffers[1].BufferType = SECBUFFER_DATA; /* Encrypted TLS Public Key */
+
+		Buffers[0].cbBuffer = 16;
+		Buffers[0].pvBuffer = xmalloc(Buffers[0].cbBuffer);
+		memcpy(Buffers[0].pvBuffer, pub_key_auth, Buffers[0].cbBuffer);
+
+		Buffers[1].cbBuffer = length - Buffers[0].cbBuffer;
+		Buffers[1].pvBuffer = xmalloc(Buffers[1].cbBuffer);
+		memcpy(Buffers[1].pvBuffer, &pub_key_auth[Buffers[0].cbBuffer], Buffers[1].cbBuffer);
+
+		Message.cBuffers = 2;
+		Message.ulVersion = SECBUFFER_VERSION;
+		Message.pBuffers = (SEC_BUFFER*) &Buffers;
+
+		status = table->DecryptMessage(&context, &Message, 0, &pfQOP);
+
+		if (status != SEC_E_OK)
+			return 0;
+
+		public_key1 = (uint8*) credssp->tls->public_key.data;
+		public_key2 = (uint8*) Buffers[1].pvBuffer;
+
+		public_key2[0]--; /* server echos the public key +1 */
+
+		if (memcmp(public_key1, public_key2, public_key_length) != 0)
+		{
+			printf("Could not verify server's public key echo\n");
+
+			printf("Expected (length = %d):\n", public_key_length);
+			freerdp_hexdump(public_key1, public_key_length);
+
+			printf("Actual (length = %d):\n", public_key_length);
+			freerdp_hexdump(public_key2, public_key_length);
+
+			return 0; /* DO NOT SEND CREDENTIALS! */
+		}
+
+		public_key2[0]++;
+	}
+
+	/* Send encrypted credentials */
+	credssp_encode_ts_credentials(credssp);
+
+	/* Encrypt TSCredentials */
+
+	{
+		uint8* p;
+		SEC_BUFFER Buffers[2];
+		SEC_BUFFER_DESC Message;
+
+		Buffers[0].BufferType = SECBUFFER_DATA; /* TSCredentials */
+		Buffers[1].BufferType = SECBUFFER_PADDING; /* Signature */
+
+		Buffers[0].cbBuffer = credssp->ts_credentials.length;
+		Buffers[0].pvBuffer = xmalloc(Buffers[0].cbBuffer);
+		memcpy(Buffers[0].pvBuffer, credssp->ts_credentials.data, Buffers[0].cbBuffer);
+
+		Buffers[1].cbBuffer = 16;
+		Buffers[1].pvBuffer = xzalloc(Buffers[1].cbBuffer);
+
+		Message.cBuffers = 2;
+		Message.ulVersion = SECBUFFER_VERSION;
+		Message.pBuffers = (SEC_BUFFER*) &Buffers;
+
+		freerdp_blob_alloc(&credssp->authInfo, Buffers[0].cbBuffer + Buffers[1].cbBuffer);
+
+		table->EncryptMessage(&context, 0, &Message, 1);
+
+		p = (uint8*) credssp->authInfo.data;
+		memcpy(p, Buffers[1].pvBuffer, Buffers[1].cbBuffer); /* Message Signature */
+		memcpy(&p[Buffers[1].cbBuffer], Buffers[0].pvBuffer, Buffers[0].cbBuffer); /* Encrypted TSCredentials */
+	}
+
+	credssp_send(credssp, NULL, &credssp->authInfo, NULL);
+
+	freerdp_blob_free(&credssp->negoToken);
+	freerdp_blob_free(&credssp->pubKeyAuth);
+	freerdp_blob_free(&credssp->authInfo);
+
+	FreeCredentialsHandle(&credentials);
+	FreeContextBuffer(pPackageInfo);
+
+	return 1;
+}
+
+#endif
+
 /**
  * Authenticate with client using CredSSP (server).
  * @param credssp

libfreerdp-auth/sspi.c

@@ -54,6 +54,115 @@ const SECURITY_FUNCTION_TABLE_NAME SECURITY_FUNCTION_TABLE_NAME_LIST[] =
 #define SEC_HANDLE_LOWER_MAX	0xFFFFFFFF
 #define SEC_HANDLE_UPPER_MAX	0xFFFFFFFE
 
+struct _CONTEXT_BUFFER_ALLOC_ENTRY
+{
+	void* contextBuffer;
+	uint32 allocatorIndex;
+};
+typedef struct _CONTEXT_BUFFER_ALLOC_ENTRY CONTEXT_BUFFER_ALLOC_ENTRY;
+
+struct _CONTEXT_BUFFER_ALLOC_TABLE
+{
+	uint32 cEntries;
+	uint32 cMaxEntries;
+	CONTEXT_BUFFER_ALLOC_ENTRY* entries;
+};
+typedef struct _CONTEXT_BUFFER_ALLOC_TABLE CONTEXT_BUFFER_ALLOC_TABLE;
+
+CONTEXT_BUFFER_ALLOC_TABLE ContextBufferAllocTable;
+
+void sspi_ContextBufferAllocTableNew()
+{
+	size_t size;
+
+	ContextBufferAllocTable.cEntries = 0;
+	ContextBufferAllocTable.cMaxEntries = 4;
+
+	size = sizeof(CONTEXT_BUFFER_ALLOC_ENTRY) * ContextBufferAllocTable.cMaxEntries;
+
+	ContextBufferAllocTable.entries = xzalloc(size);
+}
+
+void sspi_ContextBufferAllocTableGrow()
+{
+	size_t size;
+	ContextBufferAllocTable.cEntries = 0;
+	ContextBufferAllocTable.cMaxEntries *= 2;
+
+	size = sizeof(CONTEXT_BUFFER_ALLOC_ENTRY) * ContextBufferAllocTable.cMaxEntries;
+
+	ContextBufferAllocTable.entries = xrealloc(ContextBufferAllocTable.entries, size);
+	memset((void*) &ContextBufferAllocTable.entries[ContextBufferAllocTable.cMaxEntries / 2], 0, size / 2);
+}
+
+void sspi_ContextBufferAllocTableFree()
+{
+	ContextBufferAllocTable.cEntries = ContextBufferAllocTable.cMaxEntries = 0;
+	xfree(ContextBufferAllocTable.entries);
+}
+
+void* sspi_ContextBufferAlloc(uint32 allocatorIndex, size_t size)
+{
+	int index;
+	void* contextBuffer;
+
+	for (index = 0; index < ContextBufferAllocTable.cMaxEntries; index++)
+	{
+		if (ContextBufferAllocTable.entries[index].contextBuffer == NULL)
+		{
+			contextBuffer = xzalloc(size);
+			ContextBufferAllocTable.cEntries++;
+
+			ContextBufferAllocTable.entries[index].contextBuffer = contextBuffer;
+			ContextBufferAllocTable.entries[index].allocatorIndex = allocatorIndex;
+
+			return ContextBufferAllocTable.entries[index].contextBuffer;
+		}
+	}
+
+	/* no available entry was found, the table needs to be grown */
+
+	sspi_ContextBufferAllocTableGrow();
+
+	/* the next call to sspi_ContextBufferAlloc() should now succeed */
+
+	return sspi_ContextBufferAlloc(allocatorIndex, size);
+}
+
+void FreeContextBuffer_EnumerateSecurityPackages(void* contextBuffer);
+void FreeContextBuffer_QuerySecurityPackageInfo(void* contextBuffer);
+
+void sspi_ContextBufferFree(void* contextBuffer)
+{
+	int index;
+	uint32 allocatorIndex;
+
+	for (index = 0; index < ContextBufferAllocTable.cMaxEntries; index++)
+	{
+		if (contextBuffer == ContextBufferAllocTable.entries[index].contextBuffer)
+		{
+			contextBuffer = ContextBufferAllocTable.entries[index].contextBuffer;
+			allocatorIndex = ContextBufferAllocTable.entries[index].allocatorIndex;
+
+			ContextBufferAllocTable.cEntries--;
+
+			ContextBufferAllocTable.entries[index].allocatorIndex = 0;
+			ContextBufferAllocTable.entries[index].contextBuffer = NULL;
+
+			switch (allocatorIndex)
+			{
+				case EnumerateSecurityPackagesIndex:
+					FreeContextBuffer_EnumerateSecurityPackages(contextBuffer);
+					break;
+
+				case QuerySecurityPackageInfoIndex:
+					FreeContextBuffer_QuerySecurityPackageInfo(contextBuffer);
+					break;
+			}
+		}
+	}
+}
+
 CREDENTIALS* sspi_CredentialsNew()
 {
 	CREDENTIALS* credentials;
@@ -76,6 +185,18 @@ void sspi_CredentialsFree(CREDENTIALS* credentials)
 	xfree(credentials);
 }
 
+void sspi_SecBufferAlloc(SEC_BUFFER* sec_buffer, size_t size)
+{
+	sec_buffer->cbBuffer = size;
+	sec_buffer->pvBuffer = xzalloc(size);
+}
+
+void sspi_SecBufferFree(SEC_BUFFER* sec_buffer)
+{
+	sec_buffer->cbBuffer = 0;
+	xfree(sec_buffer->pvBuffer);
+}
+
 SEC_HANDLE* sspi_SecureHandleAlloc()
 {
 	SEC_HANDLE* handle = xmalloc(sizeof(SEC_HANDLE));
@@ -165,79 +286,29 @@ SECURITY_FUNCTION_TABLE* sspi_GetSecurityFunctionTableByName(const char* Name)
 	return NULL;
 }
 
+void sspi_GlobalInit()
+{
+	sspi_ContextBufferAllocTableNew();
+}
+
+void sspi_GlobalFinish()
+{
+	sspi_ContextBufferAllocTableFree();
+}
+
 /* Package Management */
 
 SECURITY_STATUS EnumerateSecurityPackages(uint32* pcPackages, SEC_PKG_INFO** ppPackageInfo)
 {
-	/*
-	 * Name: Negotiate
-	 * Comment: Microsoft Package Negotiator
-	 * fCapabilities: 0x00083BB3
-	 * wVersion: 1
-	 * wRPCID: 0x0009
-	 * cbMaxToken: 0x00002FE0
-	 */
-
-	/*
-	 * Name: NegoExtender
-	 * Comment: NegoExtender Security Package
-	 * fCapabilities: 0x00113913
-	 * wVersion: 1
-	 * wRPCID: 0x001E
-	 * cbMaxToken: 0x00002EE0
-	 */
-
-	/*
-	 * Name: Kerberos
-	 * Comment: Microsoft Kerberos V1.0
-	 * fCapabilities: 0x000F3BBF
-	 * wVersion: 1
-	 * wRPCID: 0x0010
-	 * cbMaxToken: 0x00002EE0
-	 */
-
-	/*
-	 * Name: NTLM
-	 * Comment: NTLM Security Package
-	 * fCapabilities: 0x00082B37
-	 * wVersion: 1
-	 * wRPCID: 0x000A
-	 * cbMaxToken: 0x00000B48
-	 */
-
-	/*
-	 * Name: Schannel
-	 * Comment: Schannel Security Package
-	 * fCapabilities: 0x000107B3
-	 * wVersion: 1
-	 * wRPCID: 0x000E
-	 * cbMaxToken: 0x00006000
-	 */
-
-	/*
-	 * Name: TSSSP
-	 * Comment: TS Service Security Package
-	 * fCapabilities: 0x00010230
-	 * wVersion: 1
-	 * wRPCID: 0x0016
-	 * cbMaxToken: 0x000032C8
-	 */
-
-	/*
-	 * Name: CREDSSP
-	 * Comment: Microsoft CredSSP Security Provider
-	 * fCapabilities: 0x000110733
-	 * wVersion: 1
-	 * wRPCID: 0xFFFF
-	 * cbMaxToken: 0x000090A8
-	 */
-
 	int index;
+	size_t size;
 	uint32 cPackages;
 	SEC_PKG_INFO* pPackageInfo;
 
 	cPackages = sizeof(SEC_PKG_INFO_LIST) / sizeof(SEC_PKG_INFO*);
-	pPackageInfo = (SEC_PKG_INFO*) xmalloc(sizeof(SEC_PKG_INFO) * cPackages);
+	size = sizeof(SEC_PKG_INFO) * cPackages;
+
+	pPackageInfo = (SEC_PKG_INFO*) sspi_ContextBufferAlloc(EnumerateSecurityPackagesIndex, size);
 
 	for (index = 0; index < cPackages; index++)
 	{
@@ -255,6 +326,26 @@ SECURITY_STATUS EnumerateSecurityPackages(uint32* pcPackages, SEC_PKG_INFO** ppP
 	return SEC_E_OK;
 }
 
+void FreeContextBuffer_EnumerateSecurityPackages(void* contextBuffer)
+{
+	int index;
+	uint32 cPackages;
+	SEC_PKG_INFO* pPackageInfo = (SEC_PKG_INFO*) contextBuffer;
+
+	cPackages = sizeof(SEC_PKG_INFO_LIST) / sizeof(SEC_PKG_INFO*);
+
+	for (index = 0; index < cPackages; index++)
+	{
+		if (pPackageInfo[index].Name)
+			xfree(pPackageInfo[index].Name);
+
+		if (pPackageInfo[index].Comment)
+			xfree(pPackageInfo[index].Comment);
+	}
+
+	xfree(pPackageInfo);
+}
+
 SECURITY_FUNCTION_TABLE* InitSecurityInterface(void)
 {
 	SECURITY_FUNCTION_TABLE* security_function_table;
@@ -266,6 +357,7 @@ SECURITY_FUNCTION_TABLE* InitSecurityInterface(void)
 SECURITY_STATUS QuerySecurityPackageInfo(char* pszPackageName, SEC_PKG_INFO** ppPackageInfo)
 {
 	int index;
+	size_t size;
 	uint32 cPackages;
 	SEC_PKG_INFO* pPackageInfo;
 
@@ -275,7 +367,8 @@ SECURITY_STATUS QuerySecurityPackageInfo(char* pszPackageName, SEC_PKG_INFO** pp
 	{
 		if (strcmp(pszPackageName, SEC_PKG_INFO_LIST[index]->Name) == 0)
 		{
-			pPackageInfo = (SEC_PKG_INFO*) xmalloc(sizeof(SEC_PKG_INFO));
+			size = sizeof(SEC_PKG_INFO);
+			pPackageInfo = (SEC_PKG_INFO*) sspi_ContextBufferAlloc(QuerySecurityPackageInfoIndex, size);
 
 			pPackageInfo->fCapabilities = SEC_PKG_INFO_LIST[index]->fCapabilities;
 			pPackageInfo->wVersion = SEC_PKG_INFO_LIST[index]->wVersion;
@@ -295,6 +388,19 @@ SECURITY_STATUS QuerySecurityPackageInfo(char* pszPackageName, SEC_PKG_INFO** pp
 	return SEC_E_SECPKG_NOT_FOUND;
 }
 
+void FreeContextBuffer_QuerySecurityPackageInfo(void* contextBuffer)
+{
+	SEC_PKG_INFO* pPackageInfo = (SEC_PKG_INFO*) contextBuffer;
+
+	if (pPackageInfo->Name)
+		xfree(pPackageInfo->Name);
+
+	if (pPackageInfo->Comment)
+		xfree(pPackageInfo->Comment);
+
+	xfree(pPackageInfo);
+}
+
 /* Credential Management */
 
 SECURITY_STATUS AcquireCredentialsHandle(char* pszPrincipal, char* pszPackage,
@@ -307,7 +413,7 @@ SECURITY_STATUS AcquireCredentialsHandle(char* pszPrincipal, char* pszPackage,
 	if (!table)
 		return SEC_E_SECPKG_NOT_FOUND;
 
-	if (!(table->AcquireCredentialsHandle))
+	if (table->AcquireCredentialsHandle == NULL)
 		return SEC_E_UNSUPPORTED_FUNCTION;
 
 	status = table->AcquireCredentialsHandle(pszPrincipal, pszPackage, fCredentialUse,
@@ -323,19 +429,26 @@ SECURITY_STATUS ExportSecurityContext(CTXT_HANDLE* phContext, uint32 fFlags, SEC
 
 SECURITY_STATUS FreeCredentialsHandle(CRED_HANDLE* phCredential)
 {
-	CREDENTIALS* credentials;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
 
-	if (!phCredential)
-		return SEC_E_INVALID_HANDLE;
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phCredential);
 
-	credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
 
-	if (!credentials)
-		return SEC_E_INVALID_HANDLE;
+	table = sspi_GetSecurityFunctionTableByName(Name);
 
-	sspi_CredentialsFree(credentials);
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
 
-	return SEC_E_OK;
+	if (table->FreeCredentialsHandle == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->FreeCredentialsHandle(phCredential);
+
+	return status;
 }
 
 SECURITY_STATUS ImportSecurityContext(char* pszPackage, SEC_BUFFER* pPackedContext, void* pToken, CTXT_HANDLE* phContext)
@@ -359,6 +472,9 @@ SECURITY_STATUS QueryCredentialsAttributes(CRED_HANDLE* phCredential, uint32 ulA
 	if (!table)
 		return SEC_E_SECPKG_NOT_FOUND;
 
+	if (table->QueryCredentialsAttributes == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
 	status = table->QueryCredentialsAttributes(phCredential, ulAttribute, pBuffer);
 
 	return status;
@@ -390,8 +506,10 @@ SECURITY_STATUS DeleteSecurityContext(CTXT_HANDLE* phContext)
 
 SECURITY_STATUS FreeContextBuffer(void* pvContextBuffer)
 {
-	if (pvContextBuffer != NULL)
-		xfree(pvContextBuffer);
+	if (!pvContextBuffer)
+		return SEC_E_INVALID_HANDLE;
+
+	sspi_ContextBufferFree(pvContextBuffer);
 
 	return SEC_E_OK;
 }
@@ -420,6 +538,9 @@ SECURITY_STATUS InitializeSecurityContext(CRED_HANDLE* phCredential, CTXT_HANDLE
 	if (!table)
 		return SEC_E_SECPKG_NOT_FOUND;
 
+	if (table->InitializeSecurityContext == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
 	status = table->InitializeSecurityContext(phCredential, phContext,
 			pszTargetName, fContextReq, Reserved1, TargetDataRep,
 			pInput, Reserved2, phNewContext, pOutput, pfContextAttr, ptsExpiry);
@@ -429,7 +550,26 @@ SECURITY_STATUS InitializeSecurityContext(CRED_HANDLE* phCredential, CTXT_HANDLE
 
 SECURITY_STATUS QueryContextAttributes(CTXT_HANDLE* phContext, uint32 ulAttribute, void* pBuffer)
 {
-	return SEC_E_OK;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableByName(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (table->QueryContextAttributes == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->QueryContextAttributes(phContext, ulAttribute, pBuffer);
+
+	return status;
 }
 
 SECURITY_STATUS QuerySecurityContextToken(CTXT_HANDLE* phContext, void* phToken)
@@ -451,22 +591,98 @@ SECURITY_STATUS RevertSecurityContext(CTXT_HANDLE* phContext)
 
 SECURITY_STATUS DecryptMessage(CTXT_HANDLE* phContext, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo, uint32* pfQOP)
 {
-	return SEC_E_OK;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableByName(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (table->DecryptMessage == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP);
+
+	return status;
 }
 
 SECURITY_STATUS EncryptMessage(CTXT_HANDLE* phContext, uint32 fQOP, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo)
 {
-	return SEC_E_OK;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableByName(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (table->EncryptMessage == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
+
+	return status;
 }
 
 SECURITY_STATUS MakeSignature(CTXT_HANDLE* phContext, uint32 fQOP, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo)
 {
-	return SEC_E_OK;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableByName(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (table->MakeSignature == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->MakeSignature(phContext, fQOP, pMessage, MessageSeqNo);
+
+	return status;
 }
 
 SECURITY_STATUS VerifySignature(CTXT_HANDLE* phContext, SEC_BUFFER_DESC* pMessage, uint32 MessageSeqNo, uint32* pfQOP)
 {
-	return SEC_E_OK;
+	char* Name;
+	SECURITY_STATUS status;
+	SECURITY_FUNCTION_TABLE* table;
+
+	Name = (char*) sspi_SecureHandleGetUpperPointer(phContext);
+
+	if (!Name)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	table = sspi_GetSecurityFunctionTableByName(Name);
+
+	if (!table)
+		return SEC_E_SECPKG_NOT_FOUND;
+
+	if (table->VerifySignature == NULL)
+		return SEC_E_UNSUPPORTED_FUNCTION;
+
+	status = table->VerifySignature(phContext, pMessage, MessageSeqNo, pfQOP);
+
+	return status;
 }
 
 const SECURITY_FUNCTION_TABLE SSPI_SECURITY_FUNCTION_TABLE =

libfreerdp-auth/sspi.h

@@ -32,6 +32,9 @@ typedef struct _CREDENTIALS CREDENTIALS;
 CREDENTIALS* sspi_CredentialsNew();
 void sspi_CredentialsFree(CREDENTIALS* credentials);
 
+void sspi_SecBufferAlloc(SEC_BUFFER* sec_buffer, size_t size);
+void sspi_SecBufferFree(SEC_BUFFER* sec_buffer);
+
 SEC_HANDLE* sspi_SecureHandleAlloc();
 void sspi_SecureHandleInit(SEC_HANDLE* handle);
 void sspi_SecureHandleInvalidate(SEC_HANDLE* handle);
@@ -41,4 +44,36 @@ void* sspi_SecureHandleGetUpperPointer(SEC_HANDLE* handle);
 void sspi_SecureHandleSetUpperPointer(SEC_HANDLE* handle, void* pointer);
 void sspi_SecureHandleFree(SEC_HANDLE* handle);
 
+enum SecurityFunctionTableIndex
+{
+	EnumerateSecurityPackagesIndex = 1,
+	Reserved1Index = 2,
+	QueryCredentialsAttributesIndex = 3,
+	AcquireCredentialsHandleIndex = 4,
+	FreeCredentialsHandleIndex = 5,
+	Reserved2Index = 6,
+	InitializeSecurityContextIndex = 7,
+	AcceptSecurityContextIndex = 8,
+	CompleteAuthTokenIndex = 9,
+	DeleteSecurityContextIndex = 10,
+	ApplyControlTokenIndex = 11,
+	QueryContextAttributesIndex = 12,
+	ImpersonateSecurityContextIndex = 13,
+	RevertSecurityContextIndex = 14,
+	MakeSignatureIndex = 15,
+	VerifySignatureIndex = 16,
+	FreeContextBufferIndex = 17,
+	QuerySecurityPackageInfoIndex = 18,
+	Reserved3Index = 19,
+	Reserved4Index = 20,
+	ExportSecurityContextIndex = 21,
+	ImportSecurityContextIndex = 22,
+	AddCredentialsIndex = 23,
+	Reserved8Index = 24,
+	QuerySecurityContextTokenIndex = 25,
+	EncryptMessageIndex = 26,
+	DecryptMessageIndex = 27,
+	SetContextAttributesIndex = 28
+};
+
 #endif /* FREERDP_AUTH_SSPI_PRIVATE_H */

libfreerdp-cache/pointer.c

@@ -29,7 +29,19 @@ void update_pointer_position(rdpContext* context, POINTER_POSITION_UPDATE* point
 
 void update_pointer_system(rdpContext* context, POINTER_SYSTEM_UPDATE* pointer_system)
 {
+	switch (pointer_system->type)
+	{
+		case SYSPTR_NULL:
+			Pointer_SetNull(context);
+			break;
 
+		case SYSPTR_DEFAULT:
+			Pointer_SetDefault(context);
+			break;
+
+		default:
+			printf("Unknown system pointer type (0x%08X)\n", pointer_system->type);
+	}
 }
 
 void update_pointer_color(rdpContext* context, POINTER_COLOR_UPDATE* pointer_color)

libfreerdp-core/graphics.c

@@ -128,6 +128,16 @@ void Pointer_Set(rdpContext* context, rdpPointer* pointer)
 	context->graphics->Pointer_Prototype->Set(context, pointer);
 }
 
+void Pointer_SetNull(rdpContext* context)
+{
+	context->graphics->Pointer_Prototype->SetNull(context);
+}
+
+void Pointer_SetDefault(rdpContext* context)
+{
+	context->graphics->Pointer_Prototype->SetDefault(context);
+}
+
 void graphics_register_pointer(rdpGraphics* graphics, rdpPointer* pointer)
 {
 	memcpy(graphics->Pointer_Prototype, pointer, sizeof(rdpPointer));