From 81a2c3c705989e31084c8c000966ae1e9b3cf83c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= <marcandre.moreau@gmail.com>
Date: Sun, 20 May 2012 18:32:22 -0400
Subject: [PATCH] libwinpr-sspi: fix server-side NTLM confidentiality

---
 libwinpr-sspi/NTLM/ntlm.c | 24 ++++++++++++++++++++----
 libwinpr-sspi/credssp.c   |  6 +++---
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/libwinpr-sspi/NTLM/ntlm.c b/libwinpr-sspi/NTLM/ntlm.c
index 1c5e5bfd0..6b4b538ee 100644
--- a/libwinpr-sspi/NTLM/ntlm.c
+++ b/libwinpr-sspi/NTLM/ntlm.c
@@ -279,10 +279,15 @@ SECURITY_STATUS SEC_ENTRY ntlm_AcceptSecurityContext(PCredHandle phCredential, P
 	if (!context)
 	{
 		context = ntlm_ContextNew();
+
 		if (!context)
-			return SEC_E_INSUFFICIENT_MEMORY ;
+			return SEC_E_INSUFFICIENT_MEMORY;
+
 		context->server = true;
 
+		if (fContextReq & ASC_REQ_CONFIDENTIALITY)
+			context->confidentiality = true;
+
 		credentials = (CREDENTIALS*) sspi_SecureHandleGetLowerPointer(phCredential);
 		ntlm_SetContextIdentity(context, &credentials->identity);
 
@@ -390,7 +395,7 @@ SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextA(PCredHandle phCredenti
 	{
 		context = ntlm_ContextNew();
 		if (!context)
-			return SEC_E_INSUFFICIENT_MEMORY ;
+			return SEC_E_INSUFFICIENT_MEMORY;
 
 		if (fContextReq & ISC_REQ_CONFIDENTIALITY)
 			context->confidentiality = true;
@@ -570,8 +575,6 @@ SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, uint32 fQOP
 	else
 		memcpy(data_buffer->pvBuffer, data, length);
 
-	free(data);
-
 #ifdef WITH_DEBUG_NTLM
 	printf("Data Buffer (length = %d)\n", length);
 	freerdp_hexdump(data, length);
@@ -582,6 +585,8 @@ SECURITY_STATUS SEC_ENTRY ntlm_EncryptMessage(PCtxtHandle phContext, uint32 fQOP
 	printf("\n");
 #endif
 
+	free(data);
+
 	/* RC4-encrypt first 8 bytes of digest */
 	crypto_rc4(context->SendRc4Seal, 8, digest, checksum);
 
@@ -647,6 +652,17 @@ SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSecBufferD
 	HMAC_Update(&hmac, data_buffer->pvBuffer, data_buffer->cbBuffer);
 	HMAC_Final(&hmac, digest, NULL);
 	HMAC_CTX_cleanup(&hmac);
+
+#ifdef WITH_DEBUG_NTLM
+	printf("Encrypted Data Buffer (length = %d)\n", length);
+	freerdp_hexdump(data, length);
+	printf("\n");
+
+	printf("Data Buffer (length = %d)\n", data_buffer->cbBuffer);
+	freerdp_hexdump(data_buffer->pvBuffer, data_buffer->cbBuffer);
+	printf("\n");
+#endif
+
 	free(data);
 
 	/* RC4-encrypt first 8 bytes of digest */
diff --git a/libwinpr-sspi/credssp.c b/libwinpr-sspi/credssp.c
index afa90fed0..614fb8699 100644
--- a/libwinpr-sspi/credssp.c
+++ b/libwinpr-sspi/credssp.c
@@ -420,8 +420,8 @@ int credssp_server_authenticate(rdpCredssp* credssp)
 	memset(&output_buffer, 0, sizeof(SecBuffer));
 	memset(&credssp->ContextSizes, 0, sizeof(SecPkgContext_Sizes));
 
-	fContextReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT |
-			ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE;
+	fContextReq = ASC_REQ_REPLAY_DETECT | ASC_REQ_SEQUENCE_DETECT |
+			ASC_REQ_CONFIDENTIALITY | ASC_REQ_DELEGATE;
 
 	while (true)
 	{
@@ -458,7 +458,7 @@ int credssp_server_authenticate(rdpCredssp* credssp)
 
 		status = credssp->table->AcceptSecurityContext(&credentials,
 			have_context? &credssp->context: NULL,
-			&input_buffer_desc, 0, SECURITY_NATIVE_DREP, &credssp->context,
+			&input_buffer_desc, fContextReq, SECURITY_NATIVE_DREP, &credssp->context,
 			&output_buffer_desc, &pfContextAttr, &expiration);
 
 		if (input_buffer.pvBuffer != NULL)