All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <pmoore@redhat.com>
To: Roman Drahtmueller <draht@suse.de>
Cc: Alexander Graf <agraf@suse.de>,
	qemu-devel Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Fri, 04 May 2012 08:39:04 -0400	[thread overview]
Message-ID: <4659908.x6KEQUt2IX@sifl> (raw)
In-Reply-To: <alpine.LNX.2.00.1205040325480.12903@qrag.fhfr.qr>

On Friday, May 04, 2012 04:01:09 AM Roman Drahtmueller wrote:
> > > > FIPS 140-2 requires disabling certain ciphers, including DES, which is
> > > > used
> > > > by VNC to obscure passwords when they are sent over the network.  The
> > > > solution for FIPS users is to disable the use of VNC password auth
> > > > when
> > > > the
> > > > host system is operating in FIPS mode.
> > > > 
> > > > This patch causes qemu to emit a syslog entry indicating that VNC
> > > > password
> > > > auth is disabled when it detects the host is running in FIPS mode, and
> > > > unless a VNC password was specified on the command line it continues
> > > > normally.  However, if a VNC password was given on the command line,
> > > > qemu
> > > > fails with an error message to stderr explaining that VNC password
> > > > auth is
> > > > not allowed in FIPS mode.
> > > 
> > > I just talked to Roman about this one and he had some comments :)
> > 
> > I'm sure he did :)
> 
> *g* Thanks, Alex! :)
> 
> The purpose makes perfect sense, I think.
> 
> Some small glitch, though:
> 
> fips=1 on the kernel commandline turns on fips mode in the kernel crypto,
> and leaves "1" in /proc/sys/crypto/fips_enabled for userland to consume.
> openssl starts up, reads the file and runs its fips initialization with
> "1" in the file. Typically...
> 
> Two problems:
> 1) openssl may not come with FIPS support. proc file is ignored.
> 2) openssl may run in FIPS mode for reasons other than fips=1 on the
>    kernel cmdline (environment, ...).
>
> Suggested way to handle this:
> 
> 1) compile-time check if <openssl/fips.h> exists.
>    Ignore fips specifics if not, otherwise:
> 2) use int FIPS_mode(void) for what it's there:
> 
> #ifdef _QEMU_FIPS 		/* or whatever */
> #include <openssl/fips.h>
>   vs->fips = FIPS_mode();
> #endif
> 
> and skip fips_enabled(void).
> 
> Much easier!

If QEMU's VNC implementation used OpenSSL's DES cipher for the password 
encryption I would agree with you, but QEMU uses its own implementation 
(ui/d3des.*) and because of this I think it makes the most sense to check the 
kernel setting directly.

-- 
paul moore
security and virtualization @ redhat

  reply	other threads:[~2012-05-04 12:39 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-02 19:32 [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-03  8:29 ` Daniel P. Berrange
2012-05-03  8:51   ` Alexander Graf
2012-05-03  8:57     ` Daniel P. Berrange
2012-05-03  9:01       ` Alexander Graf
2012-05-03  9:03         ` Daniel P. Berrange
2012-05-03  9:06           ` Alexander Graf
2012-05-03  9:09             ` Daniel P. Berrange
2012-05-03  9:11               ` Alexander Graf
2012-05-03 20:58                 ` Paul Moore
2012-05-03  9:04         ` Alexander Graf
2012-05-03 20:51   ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54   ` Paul Moore
2012-05-04  2:01     ` Roman Drahtmueller
2012-05-04 12:39       ` Paul Moore [this message]
2012-05-04 12:42         ` Daniel P. Berrange
2012-06-03  0:55 ` Anthony Liguori
2012-06-04 18:16   ` Paul Moore
2012-06-04 23:11     ` Anthony Liguori
2012-06-04 23:17       ` Alexander Graf
2012-06-04 23:54         ` Anthony Liguori
2012-06-05  0:55           ` Alexander Graf
2012-06-05  1:03             ` Anthony Liguori
2012-06-05  1:08               ` Alexander Graf
2012-06-05  1:23                 ` Anthony Liguori
2012-06-05  1:29                   ` Alexander Graf
2012-06-05  7:23                   ` Gerd Hoffmann
2012-06-05 21:45                 ` Paul Moore
2012-06-05 21:51                   ` Alexander Graf
2012-06-05 22:06                     ` Paul Moore
2012-06-05 23:07                       ` Anthony Liguori
2012-06-05 23:56                         ` Alexander Graf
2012-06-06 22:56                           ` Paul Moore
2012-06-07  3:10                             ` Anthony Liguori
2012-06-07 10:31                               ` Alexander Graf
2012-06-07 13:21                                 ` Paul Moore
2012-06-08 21:37                                   ` Paul Moore
2012-06-11 13:33                                 ` Roman Drahtmueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4659908.x6KEQUt2IX@sifl \
    --to=pmoore@redhat.com \
    --cc=agraf@suse.de \
    --cc=draht@suse.de \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.