From 6973b14eed7053b7b6322d86730660f371f829e3 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Wed, 22 Nov 2017 19:25:32 +0100 Subject: [PATCH 1/2] Enable FIPS mode automatically FreeRDP aborts if OpenSSL operates in FIPS mode and +fipsmode is not manually specified. Let's prevent the abortion and enable the necessary options in that case automatically. --- client/common/cmdline.c | 11 ----------- libfreerdp/core/connection.c | 11 +++++++++++ winpr/include/winpr/ssl.h | 2 ++ winpr/libwinpr/utils/ssl.c | 14 ++++++++++++++ 4 files changed, 27 insertions(+), 11 deletions(-) diff --git a/client/common/cmdline.c b/client/common/cmdline.c index f6f0d4aee..0c09ac25f 100644 --- a/client/common/cmdline.c +++ b/client/common/cmdline.c @@ -2827,17 +2827,6 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings, settings->ColorDepth = 32; } - /* FIPS Mode forces the following and overrides the following(by happening later */ - /* in the command line processing): */ - /* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */ - /* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */ - /* 2. Forces the only supported RDP encryption method to be FIPS. */ - if (settings->FIPSMode) - { - settings->NlaSecurity = FALSE; - settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS; - } - arg = CommandLineFindArgumentA(args, "port"); if (arg->Flags & COMMAND_LINE_ARGUMENT_PRESENT) diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c index 515a4d652..89e61d128 100644 --- a/libfreerdp/core/connection.c +++ b/libfreerdp/core/connection.c @@ -186,6 +186,17 @@ BOOL rdp_client_connect(rdpRdp* rdp) flags |= WINPR_SSL_INIT_ENABLE_FIPS; winpr_InitializeSSL(flags); + /* FIPS Mode forces the following and overrides the following(by happening later */ + /* in the command line processing): */ + /* 1. Disables NLA Security since NLA in freerdp uses NTLM(no Kerberos support yet) which uses algorithms */ + /* not allowed in FIPS for sensitive data. So, we disallow NLA when FIPS is required. */ + /* 2. Forces the only supported RDP encryption method to be FIPS. */ + if (settings->FIPSMode || winpr_FIPSMode()) + { + settings->NlaSecurity = FALSE; + settings->EncryptionMethods = ENCRYPTION_METHOD_FIPS; + } + nego_init(rdp->nego); nego_set_target(rdp->nego, settings->ServerHostname, settings->ServerPort); diff --git a/winpr/include/winpr/ssl.h b/winpr/include/winpr/ssl.h index 22b1a6f64..0ff6b74c8 100644 --- a/winpr/include/winpr/ssl.h +++ b/winpr/include/winpr/ssl.h @@ -38,6 +38,8 @@ extern "C" { WINPR_API BOOL winpr_InitializeSSL(DWORD flags); WINPR_API BOOL winpr_CleanupSSL(DWORD flags); +WINPR_API BOOL winpr_FIPSMode(void); + #ifdef __cplusplus } #endif diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c index 7d6d7d6a7..f749939ac 100644 --- a/winpr/libwinpr/utils/ssl.c +++ b/winpr/libwinpr/utils/ssl.c @@ -346,6 +346,15 @@ BOOL winpr_CleanupSSL(DWORD flags) return TRUE; } +BOOL winpr_FIPSMode(void) +{ +#if (OPENSSL_VERSION_NUMBER < 0x10001000L) + return FALSE; +#else + return (FIPS_mode() == 1); +#endif +} + #else BOOL winpr_InitializeSSL(DWORD flags) @@ -358,4 +367,9 @@ BOOL winpr_CleanupSSL(DWORD flags) return TRUE; } +BOOL winpr_FIPSMode(void) +{ + return FALSE; +} + #endif From 74bbbdb5c3bdf6333a3f512e0eb5ae902e040d09 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Wed, 22 Nov 2017 19:41:35 +0100 Subject: [PATCH 2/2] Remove unused variable Unused variable was added together with FIPS mode support, let's remove it. --- libfreerdp/core/freerdp.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libfreerdp/core/freerdp.c b/libfreerdp/core/freerdp.c index 4468dc2d1..483c3bc72 100644 --- a/libfreerdp/core/freerdp.c +++ b/libfreerdp/core/freerdp.c @@ -615,7 +615,6 @@ BOOL freerdp_context_new(freerdp* instance) rdpRdp* rdp; rdpContext* context; BOOL ret = TRUE; - DWORD flags = WINPR_SSL_INIT_DEFAULT; instance->context = (rdpContext*) calloc(1, instance->ContextSize); if (!instance->context)