From f486fb1e9240b5969caa58d0a349b422e9f3e55e Mon Sep 17 00:00:00 2001
From: David Fort <contact@hardening-consulting.com>
Date: Fri, 7 Oct 2022 14:09:44 +0200
Subject: [PATCH] fixes for NLA under win32

---
 libfreerdp/core/credssp_auth.c | 21 ++++++++++-----------
 libfreerdp/core/nla.c          | 31 ++++++++++++++++++++-----------
 2 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/libfreerdp/core/credssp_auth.c b/libfreerdp/core/credssp_auth.c
index 8944e06da..c60fc03fe 100644
--- a/libfreerdp/core/credssp_auth.c
+++ b/libfreerdp/core/credssp_auth.c
@@ -121,6 +121,7 @@ BOOL credssp_auth_setup_client(rdpCredsspAuth* auth, const char* target_service,
                                const char* pkinit)
 {
 	SECURITY_STATUS status;
+	void* identityPtr = NULL;
 
 	WINPR_ASSERT(auth);
 	WINPR_ASSERT(auth->table);
@@ -130,13 +131,7 @@ BOOL credssp_auth_setup_client(rdpCredsspAuth* auth, const char* target_service,
 	if (!credssp_auth_set_spn(auth, target_service, target_hostname))
 		return FALSE;
 
-	if (!identity)
-	{
-		status = auth->table->AcquireCredentialsHandleA(NULL, auth->info->Name,
-		                                                SECPKG_CRED_OUTBOUND, NULL, NULL, NULL,
-		                                                NULL, &auth->credentials, NULL);
-	}
-	else
+	if (identity)
 	{
 		if (sspi_CopyAuthIdentity(&auth->identity.identity, identity) < 0)
 			return FALSE;
@@ -152,11 +147,13 @@ BOOL credssp_auth_setup_client(rdpCredsspAuth* auth, const char* target_service,
 			}
 		}
 
-		status = auth->table->AcquireCredentialsHandleA(NULL, auth->info->Name,
-		                                                SECPKG_CRED_OUTBOUND, NULL, &auth->identity,
-		                                                NULL, NULL, &auth->credentials, NULL);
+		identityPtr = &auth->identity;
 	}
 
+	status =
+	    auth->table->AcquireCredentialsHandleA(NULL, auth->info->Name, SECPKG_CRED_OUTBOUND, NULL,
+	                                           identityPtr, NULL, NULL, &auth->credentials, NULL);
+
 	if (status != SEC_E_OK)
 	{
 		WLog_ERR(TAG, "AcquireCredentialsHandleA failed with %s [0x%08X]",
@@ -263,7 +260,7 @@ int credssp_auth_authenticate(rdpCredsspAuth* auth)
 {
 	SECURITY_STATUS status;
 	SecBuffer input_buffers[2] = { 0 };
-	SecBufferDesc input_buffer_desc = { SECBUFFER_VERSION, 2, input_buffers };
+	SecBufferDesc input_buffer_desc = { SECBUFFER_VERSION, 1, input_buffers };
 	CtxtHandle* context = NULL;
 
 	WINPR_ASSERT(auth);
@@ -288,6 +285,8 @@ int credssp_auth_authenticate(rdpCredsspAuth* auth)
 
 	if (auth->bindings)
 	{
+		input_buffer_desc.cBuffers = 2;
+
 		input_buffers[1].BufferType = SECBUFFER_CHANNEL_BINDINGS;
 		input_buffers[1].cbBuffer = auth->bindings->BindingsLength;
 		input_buffers[1].pvBuffer = auth->bindings->Bindings;
diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index 17a2af64a..ce0676017 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -51,6 +51,8 @@
 
 #define SERVER_KEY "Software\\" FREERDP_VENDOR_STRING "\\" FREERDP_PRODUCT_STRING "\\Server"
 
+#define NLA_AUTH_PKG "Negotiate"
+
 /**
  * TSRequest ::= SEQUENCE {
  * 	version    [0] INTEGER,
@@ -198,15 +200,6 @@ static BOOL nla_adjust_settings_from_smartcard(rdpNla* nla)
 	if (!settings->SmartcardLogon)
 		return TRUE;
 
-	if (!settings->CspName)
-	{
-		if (!freerdp_settings_set_string(settings, FreeRDP_CspName, MS_SCARD_PROV_A))
-		{
-			WLog_ERR(TAG, "unable to set CSP name");
-			return FALSE;
-		}
-	}
-
 	if (!smartcard_enumerateCerts(settings, &certs, &count))
 	{
 		WLog_ERR(TAG, "unable to list smartcard certificates");
@@ -229,6 +222,22 @@ static BOOL nla_adjust_settings_from_smartcard(rdpNla* nla)
 	/*
 	 * just one result let's try to fill missing parameters
 	 */
+
+	if (!settings->CspName)
+	{
+		if (info->csp &&
+		    ConvertFromUnicode(CP_UTF8, 0, info->csp, -1, &settings->CspName, 0, NULL, FALSE) <= 0)
+		{
+			WLog_ERR(TAG, "unable to set CSP name");
+			goto out;
+		}
+		else if (!(settings->CspName = _strdup(MS_SCARD_PROV_A)))
+		{
+			WLog_ERR(TAG, "unable to set CSP name");
+			goto out;
+		}
+	}
+
 	if (!settings->Username && info->userHint)
 	{
 		if (!freerdp_settings_set_string(settings, FreeRDP_Username, info->userHint))
@@ -454,7 +463,7 @@ static int nla_client_init(rdpNla* nla)
 	if (!nla_adjust_settings_from_smartcard(nla))
 		return -1;
 
-	if (!credssp_auth_init(nla->auth, NEGO_SSP_NAME, NULL))
+	if (!credssp_auth_init(nla->auth, NLA_AUTH_PKG, NULL))
 		return -1;
 
 	if (!nla_client_setup_identity(nla))
@@ -672,7 +681,7 @@ static int nla_server_init(rdpNla* nla)
 		return -1;
 	}
 
-	if (!credssp_auth_init(nla->auth, NEGO_SSP_NAME, NULL))
+	if (!credssp_auth_init(nla->auth, NLA_AUTH_PKG, NULL))
 		return -1;
 
 	if (!credssp_auth_setup_server(nla->auth))