From d2c653baf3b8eb2f737adc9f71ac0267418657a2 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Fri, 29 May 2020 09:30:25 +0200
Subject: [PATCH] Lock remaining occurances of
 security_encrypt/security_decrypt variables

(cherry picked from commit f01ae7d2573b677eba6c8a50fe12246a23b15f2e)
---
 libfreerdp/core/security.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libfreerdp/core/security.c b/libfreerdp/core/security.c
index 54c39cc..7caf5a8 100644
--- a/libfreerdp/core/security.c
+++ b/libfreerdp/core/security.c
@@ -394,6 +394,8 @@ BOOL security_salted_mac_signature(rdpRdp* rdp, const BYTE* data, UINT32 length,
 	BYTE md5_digest[WINPR_MD5_DIGEST_LENGTH];
 	BYTE sha1_digest[WINPR_SHA1_DIGEST_LENGTH];
 	BOOL result = FALSE;
+
+	EnterCriticalSection(&rdp->critical);
 	security_UINT32_le(length_le, length); /* length must be little-endian */
 
 	if (encryption)
@@ -456,6 +458,7 @@ BOOL security_salted_mac_signature(rdpRdp* rdp, const BYTE* data, UINT32 length,
 	memcpy(output, md5_digest, 8);
 	result = TRUE;
 out:
+	LeaveCriticalSection(&rdp->critical);
 	winpr_Digest_Free(sha1);
 	winpr_Digest_Free(md5);
 	return result;
@@ -636,12 +639,14 @@ BOOL security_establish_keys(const BYTE* client_random, rdpRdp* rdp)
 		rdp->rc4_key_len = 16;
 	}
 
+	EnterCriticalSection(&rdp->critical);
 	memcpy(rdp->decrypt_update_key, rdp->decrypt_key, 16);
 	memcpy(rdp->encrypt_update_key, rdp->encrypt_key, 16);
 	rdp->decrypt_use_count = 0;
 	rdp->decrypt_checksum_use_count = 0;
 	rdp->encrypt_use_count = 0;
 	rdp->encrypt_checksum_use_count = 0;
+	LeaveCriticalSection(&rdp->critical);
 	return TRUE;
 }
 
@@ -777,7 +782,9 @@ BOOL security_hmac_signature(const BYTE* data, size_t length, BYTE* output, rdpR
 	BYTE use_count_le[4];
 	WINPR_HMAC_CTX* hmac;
 	BOOL result = FALSE;
+	EnterCriticalSection(&rdp->critical);
 	security_UINT32_le(use_count_le, rdp->encrypt_use_count);
+	LeaveCriticalSection(&rdp->critical);
 
 	if (!(hmac = winpr_HMAC_New()))
 		return FALSE;
@@ -836,7 +843,9 @@ BOOL security_fips_check_signature(const BYTE* data, size_t length, const BYTE*
 	BYTE use_count_le[4];
 	WINPR_HMAC_CTX* hmac;
 	BOOL result = FALSE;
-	security_UINT32_le(use_count_le, rdp->decrypt_use_count);
+	EnterCriticalSection(&rdp->critical);
+	security_UINT32_le(use_count_le, rdp->decrypt_use_count++);
+	LeaveCriticalSection(&rdp->critical);
 
 	if (!(hmac = winpr_HMAC_New()))
 		return FALSE;
@@ -853,8 +862,6 @@ BOOL security_fips_check_signature(const BYTE* data, size_t length, const BYTE*
 	if (!winpr_HMAC_Final(hmac, buf, WINPR_SHA1_DIGEST_LENGTH))
 		goto out;
 
-	rdp->decrypt_use_count++;
-
 	if (!memcmp(sig, buf, 8))
 		result = TRUE;
 
-- 
2.7.4