All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <pmoore@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Wed, 02 May 2012 15:32:56 -0400	[thread overview]
Message-ID: <20120502193256.6508.86360.stgit@sifl> (raw)

FIPS 140-2 requires disabling certain ciphers, including DES, which is used
by VNC to obscure passwords when they are sent over the network.  The
solution for FIPS users is to disable the use of VNC password auth when the
host system is operating in FIPS mode.

This patch causes qemu to emit a syslog entry indicating that VNC password
auth is disabled when it detects the host is running in FIPS mode, and
unless a VNC password was specified on the command line it continues
normally.  However, if a VNC password was given on the command line, qemu
fails with an error message to stderr explaining that VNC password auth is
not allowed in FIPS mode.

Signed-off-by: Paul Moore <pmoore@redhat.com>

--
Changelog
* v2
- Protected syslog with _WIN32
- Protected the guts of fips_enabled() with __linux__
- Converted fips_enabled() and the fips flag from int to bool
*v1
- Initial draft
---
 qemu-doc.texi |    8 +++++---
 ui/vnc.c      |   39 +++++++++++++++++++++++++++++++++++++++
 ui/vnc.h      |    1 +
 3 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index e5d7ac4..f9b113e 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1124,9 +1124,11 @@ the protocol limits passwords to 8 characters it should not be considered
 to provide high security. The password can be fairly easily brute-forced by
 a client making repeat connections. For this reason, a VNC server using password
 authentication should be restricted to only listen on the loopback interface
-or UNIX domain sockets. Password authentication is requested with the @code{password}
-option, and then once QEMU is running the password is set with the monitor. Until
-the monitor is used to set the password all clients will be rejected.
+or UNIX domain sockets. Password authentication is not supported when operating
+in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
+authentication is requested with the @code{password} option, and then once QEMU
+is running the password is set with the monitor. Until the monitor is used to
+set the password all clients will be rejected.
 
 @example
 qemu [...OPTIONS...] -vnc :1,password -monitor stdio
diff --git a/ui/vnc.c b/ui/vnc.c
index deb9ecd..6162425 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -32,6 +32,9 @@
 #include "acl.h"
 #include "qemu-objects.h"
 #include "qmp-commands.h"
+#ifndef _WIN32
+#include <syslog.h>
+#endif
 
 #define VNC_REFRESH_INTERVAL_BASE 30
 #define VNC_REFRESH_INTERVAL_INC  50
@@ -48,6 +51,27 @@ static DisplayChangeListener *dcl;
 static int vnc_cursor_define(VncState *vs);
 static void vnc_release_modifiers(VncState *vs);
 
+static bool fips_enabled(void)
+{
+    bool enabled = false;
+
+#ifdef __linux__
+    FILE *fds;
+    char value;
+
+    fds = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (fds == NULL) {
+        return false;
+    }
+    if (fread(&value, sizeof(value), 1, fds) == 1 && value == '1') {
+        enabled = true;
+    }
+    fclose(fds);
+#endif /* __linux__ */
+
+    return enabled;
+}
+
 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
 {
 #ifdef _VNC_DEBUG
@@ -2748,6 +2772,14 @@ void vnc_display_init(DisplayState *ds)
     dcl->idle = 1;
     vnc_display = vs;
 
+    vs->fips = fips_enabled();
+    VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
+#ifndef _WIN32
+    if (vs->fips) {
+        syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS mode\n");
+    }
+#endif /* _WIN32 */
+
     vs->lsock = -1;
 
     vs->ds = ds;
@@ -2892,6 +2924,13 @@ int vnc_display_open(DisplayState *ds, const char *display)
     while ((options = strchr(options, ','))) {
         options++;
         if (strncmp(options, "password", 8) == 0) {
+            if (vs->fips) {
+                fprintf(stderr,
+                        "VNC password auth disabled due to FIPS mode\n");
+                g_free(vs->display);
+                vs->display = NULL;
+                return -1;
+            }
             password = 1; /* Require password auth */
         } else if (strncmp(options, "reverse", 7) == 0) {
             reverse = 1;
diff --git a/ui/vnc.h b/ui/vnc.h
index a851ebd..d41631b 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -160,6 +160,7 @@ struct VncDisplay
     char *display;
     char *password;
     time_t expires;
+    bool fips;
     int auth;
     bool lossy;
     bool non_adaptive;

             reply	other threads:[~2012-05-02 19:33 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-02 19:32 Paul Moore [this message]
2012-05-03  8:29 ` [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Daniel P. Berrange
2012-05-03  8:51   ` Alexander Graf
2012-05-03  8:57     ` Daniel P. Berrange
2012-05-03  9:01       ` Alexander Graf
2012-05-03  9:03         ` Daniel P. Berrange
2012-05-03  9:06           ` Alexander Graf
2012-05-03  9:09             ` Daniel P. Berrange
2012-05-03  9:11               ` Alexander Graf
2012-05-03 20:58                 ` Paul Moore
2012-05-03  9:04         ` Alexander Graf
2012-05-03 20:51   ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54   ` Paul Moore
2012-05-04  2:01     ` Roman Drahtmueller
2012-05-04 12:39       ` Paul Moore
2012-05-04 12:42         ` Daniel P. Berrange
2012-06-03  0:55 ` Anthony Liguori
2012-06-04 18:16   ` Paul Moore
2012-06-04 23:11     ` Anthony Liguori
2012-06-04 23:17       ` Alexander Graf
2012-06-04 23:54         ` Anthony Liguori
2012-06-05  0:55           ` Alexander Graf
2012-06-05  1:03             ` Anthony Liguori
2012-06-05  1:08               ` Alexander Graf
2012-06-05  1:23                 ` Anthony Liguori
2012-06-05  1:29                   ` Alexander Graf
2012-06-05  7:23                   ` Gerd Hoffmann
2012-06-05 21:45                 ` Paul Moore
2012-06-05 21:51                   ` Alexander Graf
2012-06-05 22:06                     ` Paul Moore
2012-06-05 23:07                       ` Anthony Liguori
2012-06-05 23:56                         ` Alexander Graf
2012-06-06 22:56                           ` Paul Moore
2012-06-07  3:10                             ` Anthony Liguori
2012-06-07 10:31                               ` Alexander Graf
2012-06-07 13:21                                 ` Paul Moore
2012-06-08 21:37                                   ` Paul Moore
2012-06-11 13:33                                 ` Roman Drahtmueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120502193256.6508.86360.stgit@sifl \
    --to=pmoore@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.