Merge pull request #4267 from ondrejholy/autofips
Enable FIPS mode automatically
This commit is contained in:
commit
71e38a4ce7
@ -2844,17 +2844,6 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
|
||||
settings->ColorDepth = 32;
|
||||
}
|
||||
|
||||
/* FIPS Mode forces the following and overrides the following(by happening later */
|
||||
/* in the command line processing): */
|
||||
/* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */
|
||||
/* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
|
||||
/* 2. Forces the only supported RDP encryption method to be FIPS. */
|
||||
if (settings->FIPSMode)
|
||||
{
|
||||
settings->NlaSecurity = FALSE;
|
||||
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
|
||||
}
|
||||
|
||||
arg = CommandLineFindArgumentA(args, "port");
|
||||
|
||||
if (arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT)
|
||||
|
@ -186,6 +186,17 @@ BOOL rdp_client_connect(rdpRdp* rdp)
|
||||
flags |= WINPR_SSL_INIT_ENABLE_FIPS;
|
||||
winpr_InitializeSSL(flags);
|
||||
|
||||
/* FIPS Mode forces the following and overrides the following(by happening later */
|
||||
/* in the command line processing): */
|
||||
/* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */
|
||||
/* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
|
||||
/* 2. Forces the only supported RDP encryption method to be FIPS. */
|
||||
if (settings->FIPSMode || winpr_FIPSMode())
|
||||
{
|
||||
settings->NlaSecurity = FALSE;
|
||||
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
|
||||
}
|
||||
|
||||
nego_init(rdp->nego);
|
||||
nego_set_target(rdp->nego, settings->ServerHostname, settings->ServerPort);
|
||||
|
||||
|
@ -38,6 +38,8 @@ extern "C" {
|
||||
WINPR_API BOOL winpr_InitializeSSL(DWORD flags);
|
||||
WINPR_API BOOL winpr_CleanupSSL(DWORD flags);
|
||||
|
||||
WINPR_API BOOL winpr_FIPSMode(void);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
@ -346,6 +346,15 @@ BOOL winpr_CleanupSSL(DWORD flags)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL winpr_FIPSMode(void)
|
||||
{
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x10001000L)
|
||||
return FALSE;
|
||||
#else
|
||||
return (FIPS_mode() == 1);
|
||||
#endif
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
BOOL winpr_InitializeSSL(DWORD flags)
|
||||
@ -358,4 +367,9 @@ BOOL winpr_CleanupSSL(DWORD flags)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
BOOL winpr_FIPSMode(void)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user