Merge pull request #4267 from ondrejholy/autofips

Enable FIPS mode automatically
This commit is contained in:
akallabeth 2017-11-23 10:49:15 +01:00 committed by GitHub
commit 71e38a4ce7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 11 deletions

View File

@ -2844,17 +2844,6 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
settings->ColorDepth = 32;
}
/* FIPS Mode forces the following and overrides the following(by happening later */
/* in the command line processing): */
/* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */
/* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
/* 2. Forces the only supported RDP encryption method to be FIPS. */
if (settings->FIPSMode)
{
settings->NlaSecurity = FALSE;
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
}
arg = CommandLineFindArgumentA(args, "port");
if (arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT)

View File

@ -186,6 +186,17 @@ BOOL rdp_client_connect(rdpRdp* rdp)
flags |= WINPR_SSL_INIT_ENABLE_FIPS;
winpr_InitializeSSL(flags);
/* FIPS Mode forces the following and overrides the following(by happening later */
/* in the command line processing): */
/* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */
/* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */
/* 2. Forces the only supported RDP encryption method to be FIPS. */
if (settings->FIPSMode || winpr_FIPSMode())
{
settings->NlaSecurity = FALSE;
settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS;
}
nego_init(rdp->nego);
nego_set_target(rdp->nego, settings->ServerHostname, settings->ServerPort);

View File

@ -38,6 +38,8 @@ extern "C" {
WINPR_API BOOL winpr_InitializeSSL(DWORD flags);
WINPR_API BOOL winpr_CleanupSSL(DWORD flags);
WINPR_API BOOL winpr_FIPSMode(void);
#ifdef __cplusplus
}
#endif

View File

@ -346,6 +346,15 @@ BOOL winpr_CleanupSSL(DWORD flags)
return TRUE;
}
BOOL winpr_FIPSMode(void)
{
#if (OPENSSL_VERSION_NUMBER < 0x10001000L)
return FALSE;
#else
return (FIPS_mode() == 1);
#endif
}
#else
BOOL winpr_InitializeSSL(DWORD flags)
@ -358,4 +367,9 @@ BOOL winpr_CleanupSSL(DWORD flags)
return TRUE;
}
BOOL winpr_FIPSMode(void)
{
return FALSE;
}
#endif