From: Paul Moore <pmoore@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Wed, 02 May 2012 11:50:42 -0400 [thread overview]
Message-ID: <1644942.8Ul4qYdc8c@sifl> (raw)
In-Reply-To: <20120502091850.GK13336@redhat.com>
On Wednesday, May 02, 2012 10:18:50 AM Daniel P. Berrange wrote:
> On Tue, May 01, 2012 at 05:20:40PM -0400, Paul Moore wrote:
> > diff --git a/ui/vnc.c b/ui/vnc.c
> > index deb9ecd..620791e 100644
> > --- a/ui/vnc.c
> > +++ b/ui/vnc.c
> > @@ -32,6 +32,7 @@
> >
> > #include "acl.h"
> > #include "qemu-objects.h"
> > #include "qmp-commands.h"
> >
> > +#include <syslog.h>
> >
> > #define VNC_REFRESH_INTERVAL_BASE 30
> > #define VNC_REFRESH_INTERVAL_INC 50
> >
> > @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl;
> >
> > static int vnc_cursor_define(VncState *vs);
> > static void vnc_release_modifiers(VncState *vs);
> >
> > +static int fips_enabled(void)
>
> s/int/bool/ and use true/false as values
Fixed.
> > +{
> > + int enabled = 0;
> > + char value;
> > + FILE *fds;
> > +
> > + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
> > + if (fds == NULL) {
> > + return 0;
> > + }
> > + if (fread(&value, sizeof(value), 1, fds) == 1 && value == '1') {
> > + enabled = 1;
> > + }
> > + fclose(fds);
> > +
> > + return enabled;
> > +}
>
> As already pointed out,wWe should probably make this depend on
> __linux__, and 'return false' fo other platforms.
Yep, that makes sense. Fixed.
> > static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
> > {
> > #ifdef _VNC_DEBUG
> >
> > @@ -2748,6 +2767,12 @@ void vnc_display_init(DisplayState *ds)
> >
> > dcl->idle = 1;
> > vnc_display = vs;
> >
> > + vs->fips = fips_enabled();
> > + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
> > + if (vs->fips) {
> > + syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS
> > mode\n"); + }
>
> I think this syslog message is better placed in the next chunk of the
> patch where you actually test the vs->fips value.
My reasoning for placing it here is so that there would be some positive
indication that VNC password auth is disabled even if the user isn't
attempting to use the it. Although I can understand the reasoning for moving
it down as well so that things are quieter in the non-passwd-auth case.
With this in mind, do you still think it should be moved down?
Regardless, thanks again for your time and comments.
--
paul moore
security and virtualization @ redhat
prev parent reply other threads:[~2012-05-02 15:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-01 21:20 [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-01 22:54 ` Andreas Färber
2012-05-02 10:28 ` Christoph Hellwig
2012-05-02 11:05 ` Daniel P. Berrange
2012-05-02 15:45 ` Paul Moore
2012-05-01 23:26 ` Anthony Liguori
2012-05-01 23:43 ` George Wilson
2012-05-01 23:45 ` Anthony Liguori
2012-05-02 0:17 ` George Wilson
2012-05-02 9:29 ` Daniel P. Berrange
2012-05-02 9:16 ` Daniel P. Berrange
2012-05-02 9:18 ` Daniel P. Berrange
2012-05-02 15:50 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1644942.8Ul4qYdc8c@sifl \
--to=pmoore@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).