From b81bd005bf52dabf3ca054050a9be9a40929a8f3 Mon Sep 17 00:00:00 2001
From: Jay Sorg <jay.sorg@gmail.com>
Date: Thu, 20 Feb 2014 00:41:53 -0800
Subject: [PATCH] libxrdp: started adding FIPS crypt

---
 libxrdp/libxrdp.h  | 20 +++++++++++++++++---
 libxrdp/xrdp_rdp.c |  7 ++++++-
 libxrdp/xrdp_sec.c | 36 +++++++++++++++++++-----------------
 3 files changed, 42 insertions(+), 21 deletions(-)

diff --git a/libxrdp/libxrdp.h b/libxrdp/libxrdp.h
index ebaff796..117c9f7f 100644
--- a/libxrdp/libxrdp.h
+++ b/libxrdp/libxrdp.h
@@ -1,7 +1,7 @@
 /**
  * xrdp: A Remote Desktop Protocol server.
  *
- * Copyright (C) Jay Sorg 2004-2013
+ * Copyright (C) Jay Sorg 2004-2014
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -73,6 +73,20 @@ struct xrdp_mcs
   struct list* channel_list;
 };
 
+/* Encryption Methods */
+#define CRYPT_METHOD_NONE              0x00000000
+#define CRYPT_METHOD_40BIT             0x00000001
+#define CRYPT_METHOD_128BIT            0x00000002
+#define CRYPT_METHOD_56BIT             0x00000008
+#define CRYPT_METHOD_FIPS              0x00000010
+
+/* Encryption Levels */
+#define CRYPT_LEVEL_NONE               0x00000000
+#define CRYPT_LEVEL_LOW                0x00000001
+#define CRYPT_LEVEL_CLIENT_COMPATIBLE  0x00000002
+#define CRYPT_LEVEL_HIGH               0x00000003
+#define CRYPT_LEVEL_FIPS               0x00000004
+
 /* sec */
 struct xrdp_sec
 {
@@ -90,9 +104,9 @@ struct xrdp_sec
   char encrypt_key[16];
   char decrypt_update_key[16];
   char encrypt_update_key[16];
-  int rc4_key_size; /* 1 = 40 bit, 2 = 128 bit */
+  int crypt_method;
   int rc4_key_len; /* 8 = 40 bit, 16 = 128 bit */
-  int crypt_level; /* 1, 2, 3 = low, meduim, high */
+  int crypt_level;
   char sign_key[16];
   void* decrypt_rc4_info;
   void* encrypt_rc4_info;
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index 4cc2727f..1bf0c8f7 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -1,7 +1,7 @@
 /**
  * xrdp: A Remote Desktop Protocol server.
  *
- * Copyright (C) Jay Sorg 2004-2013
+ * Copyright (C) Jay Sorg 2004-2014
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,6 +80,10 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
             {
                 client_info->crypt_level = 3;
             }
+            else if (g_strcasecmp(value, "fips") == 0)
+            {
+                client_info->crypt_level = 4;
+            }
             else
             {
                 log_message(LOG_LEVEL_ALWAYS,"Warning: Your configured crypt level is"
@@ -628,6 +632,7 @@ xrdp_rdp_parse_client_mcs_data_CS_CORE(struct xrdp_rdp* self, struct stream* s)
 }
 
 /*****************************************************************************/
+/* TODO: move xrdp_sec.c::xrdp_sec_in_mcs_data here */
 static int APP_CC
 xrdp_rdp_parse_client_mcs_data(struct xrdp_rdp* self)
 {
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index d1bd49de..71cb513f 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1,7 +1,7 @@
 /**
  * xrdp: A Remote Desktop Protocol server.
  *
- * Copyright (C) Jay Sorg 2004-2013
+ * Copyright (C) Jay Sorg 2004-2014
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -145,22 +145,25 @@ xrdp_sec_create(struct xrdp_rdp *owner, struct trans *trans, int crypt_level,
     DEBUG((" in xrdp_sec_create"));
     self = (struct xrdp_sec *)g_malloc(sizeof(struct xrdp_sec), 1);
     self->rdp_layer = owner;
-    self->rc4_key_size = 1; /* 1 = 40 bit, 2 = 128 bit */
-    self->crypt_level = 1; /* 1, 2, 3 = low, medium, high */
-
+    self->crypt_method = CRYPT_METHOD_40BIT;
+    self->crypt_level = CRYPT_LEVEL_LOW;
     switch (crypt_level)
     {
-        case 1:
-            self->rc4_key_size = 1;
-            self->crypt_level = 1;
+        case 1: /* low */
+            self->crypt_method = CRYPT_METHOD_40BIT;
+            self->crypt_level = CRYPT_LEVEL_LOW;
+            break;
+        case 2: /* medium */
+            self->crypt_method = CRYPT_METHOD_40BIT;
+            self->crypt_level = CRYPT_LEVEL_CLIENT_COMPATIBLE;
             break;
-        case 2:
-            self->rc4_key_size = 1;
-            self->crypt_level = 2;
+        case 3: /* high */
+            self->crypt_method = CRYPT_METHOD_128BIT;
+            self->crypt_level = CRYPT_LEVEL_HIGH;
             break;
-        case 3:
-            self->rc4_key_size = 2;
-            self->crypt_level = 3;
+        case 4: /* fips */
+            self->crypt_method = CRYPT_METHOD_FIPS;
+            self->crypt_level = CRYPT_LEVEL_FIPS;
             break;
         default:
             g_writeln("Fatal : Illegal crypt_level");
@@ -715,7 +718,7 @@ xrdp_sec_establish_keys(struct xrdp_sec *self)
     xrdp_sec_hash_16(self->decrypt_key, session_key + 32, self->client_random,
                      self->server_random);
 
-    if (self->rc4_key_size == 1)
+    if (self->crypt_method == CRYPT_METHOD_40BIT)
     {
         xrdp_sec_make_40bit(self->sign_key);
         xrdp_sec_make_40bit(self->encrypt_key);
@@ -1152,9 +1155,8 @@ xrdp_sec_out_mcs_data(struct xrdp_sec *self)
 
     out_uint16_le(s, SEC_TAG_SRV_CRYPT);
     out_uint16_le(s, 0x00ec); /* len is 236 */
-    out_uint32_le(s, self->rc4_key_size); /* key len 1 = 40 bit 2 = 128 bit */
-    out_uint32_le(s, self->crypt_level); /* crypt level 1 = low 2 = medium */
-    /* 3 = high */
+    out_uint32_le(s, self->crypt_method);
+    out_uint32_le(s, self->crypt_level);
     out_uint32_le(s, 32);     /* 32 bytes random len */
     out_uint32_le(s, 0xb8);   /* 184 bytes rsa info(certificate) len */
     out_uint8a(s, self->server_random, 32);