From: "Daniel P. Berrange" <berrange@redhat.com>
To: Christoph Hellwig <hch@lst.de>
Cc: Paul Moore <pmoore@redhat.com>, Stefan Weil <sw@weilnetz.de>,
Andreas F??rber <afaerber@suse.de>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Wed, 2 May 2012 12:05:06 +0100 [thread overview]
Message-ID: <20120502110506.GO13336@redhat.com> (raw)
In-Reply-To: <20120502102802.GA28788@lst.de>
On Wed, May 02, 2012 at 12:28:02PM +0200, Christoph Hellwig wrote:
> On Wed, May 02, 2012 at 12:54:21AM +0200, Andreas F??rber wrote:
> > > + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
> >
> > How standardized is this? Should we limit this to __linux__ or something?
>
> It's completelt non-standard and doesn't even exist in mainline Linux.
>
> All the FIPS bullshit is a RHEL-private feature, which is where this patch
> should stay as well.
You really should check your facts before making such grand assertions
that are trivially disprovable
It *is* in the mainline kernel:
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.3.4.tar.bz2
$ tar jxvf linux-3.3.4.tar.bz2
$ cd linux-3.3.4
$ find | grep -i fips
./crypto/fips.c
./include/linux/fips.h
$ find -type f | xargs grep fips_enabled
./drivers/char/random.c: if (fips_enabled) {
./crypto/fips.c:int fips_enabled;
./crypto/fips.c:EXPORT_SYMBOL_GPL(fips_enabled);
./crypto/fips.c: fips_enabled = !!simple_strtol(str, NULL, 0);
./crypto/fips.c: fips_enabled ? "enabled" : "disabled");
./crypto/tcrypt.c: if (fips_enabled && ret == -EINVAL)
./crypto/tcrypt.c: if (!fips_enabled)
./crypto/testmgr.c: if (fips_enabled && !alg_test_descs[i].fips_allowed)
./crypto/testmgr.c: if (fips_enabled && ((i >= 0 && !alg_test_descs[i].fips_allowed) ||
./crypto/testmgr.c: if (fips_enabled && rc)
./crypto/testmgr.c: if (fips_enabled && !rc)
./crypto/proc.c: .procname = "fips_enabled",
./crypto/proc.c: .data = &fips_enabled,
./include/linux/fips.h:extern int fips_enabled;
./include/linux/fips.h:#define fips_enabled 0
It is *not* solely "RHEL bullshit":
$ cat /etc/fedora-release
Fedora release 17 (Beefy Miracle)
$ rpm -qf /lib64/libfipscheck.so.1
fipscheck-lib-1.3.0-3.fc17.x86_64
It *is* in all upstream crypto libraries:
# wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2
# tar jxvf libgcrypt-1.5.0.tar.bz2
# cd libgcrypt-1.5.0
# find | grep fips
./random/random-fips.c
./src/fips.c
./tests/fips186-dsa.c
./tests/fipsdrv.c
./doc/fips-fsm.pdf
./doc/fips-fsm.fig
./doc/fips-fsm.png
./doc/fips-fsm.eps
# wget http://www.openssl.org/source/openssl-1.0.1b.tar.gz
# tar zxvf openssl-1.0.1b.tar.gz
# cd openssl-1.0.1b
# find | grep fips
./test/testfipsssl
./crypto/dsa/fips186a.txt
./crypto/o_fips.c
./crypto/evp/evp_fips.c
./crypto/fips_err.h
./crypto/fips_ers.c
# wget ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_4_RTM/src/nss-3.13.4.tar.gz
# tar zxvf nss-3.13.4.tar.gz
# cd nss-3.13.4
# find | grep fips
./mozilla/security/nss/lib/softoken/fipsaudt.c
./mozilla/security/nss/lib/softoken/fipstest.c
./mozilla/security/nss/lib/softoken/fipstokn.c
./mozilla/security/nss/tests/fips
./mozilla/security/nss/tests/fips/fips.sh
./mozilla/security/nss/cmd/fipstest
./mozilla/security/nss/cmd/fipstest/dsa.sh
./mozilla/security/nss/cmd/fipstest/rsa.sh
./mozilla/security/nss/cmd/fipstest/manifest.mn
./mozilla/security/nss/cmd/fipstest/rng.sh
./mozilla/security/nss/cmd/fipstest/fipstest.c
./mozilla/security/nss/cmd/fipstest/sha.sh
./mozilla/security/nss/cmd/fipstest/hmac.sh
./mozilla/security/nss/cmd/fipstest/tdea.sh
./mozilla/security/nss/cmd/fipstest/Makefile
./mozilla/security/nss/cmd/fipstest/ecdsa.sh
./mozilla/security/nss/cmd/fipstest/aes.sh
And fully documented by upstreams too
http://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
https://www.mozilla.org/projects/security/pki/nss/fips/
http://www.openssl.org/docs/fips/fipsnotes.html
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2012-05-02 11:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-01 21:20 [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-01 22:54 ` Andreas Färber
2012-05-02 10:28 ` Christoph Hellwig
2012-05-02 11:05 ` Daniel P. Berrange [this message]
2012-05-02 15:45 ` Paul Moore
2012-05-01 23:26 ` Anthony Liguori
2012-05-01 23:43 ` George Wilson
2012-05-01 23:45 ` Anthony Liguori
2012-05-02 0:17 ` George Wilson
2012-05-02 9:29 ` Daniel P. Berrange
2012-05-02 9:16 ` Daniel P. Berrange
2012-05-02 9:18 ` Daniel P. Berrange
2012-05-02 15:50 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120502110506.GO13336@redhat.com \
--to=berrange@redhat.com \
--cc=afaerber@suse.de \
--cc=hch@lst.de \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sw@weilnetz.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).