From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode
Date: Thu, 3 May 2012 09:29:15 +0100 [thread overview]
Message-ID: <20120503082915.GF24747@redhat.com> (raw)
In-Reply-To: <20120502193256.6508.86360.stgit@sifl>
On Wed, May 02, 2012 at 03:32:56PM -0400, Paul Moore wrote:
> FIPS 140-2 requires disabling certain ciphers, including DES, which is used
> by VNC to obscure passwords when they are sent over the network. The
> solution for FIPS users is to disable the use of VNC password auth when the
> host system is operating in FIPS mode.
>
> This patch causes qemu to emit a syslog entry indicating that VNC password
> auth is disabled when it detects the host is running in FIPS mode, and
> unless a VNC password was specified on the command line it continues
> normally. However, if a VNC password was given on the command line, qemu
> fails with an error message to stderr explaining that VNC password auth is
> not allowed in FIPS mode.
>
> Signed-off-by: Paul Moore <pmoore@redhat.com>
>
> --
> Changelog
> * v2
> - Protected syslog with _WIN32
> - Protected the guts of fips_enabled() with __linux__
> - Converted fips_enabled() and the fips flag from int to bool
> *v1
> - Initial draft
> ---
> qemu-doc.texi | 8 +++++---
> ui/vnc.c | 39 +++++++++++++++++++++++++++++++++++++++
> ui/vnc.h | 1 +
> 3 files changed, 45 insertions(+), 3 deletions(-)
>
> diff --git a/qemu-doc.texi b/qemu-doc.texi
> index e5d7ac4..f9b113e 100644
> --- a/qemu-doc.texi
> +++ b/qemu-doc.texi
> @@ -1124,9 +1124,11 @@ the protocol limits passwords to 8 characters it should not be considered
> to provide high security. The password can be fairly easily brute-forced by
> a client making repeat connections. For this reason, a VNC server using password
> authentication should be restricted to only listen on the loopback interface
> -or UNIX domain sockets. Password authentication is requested with the @code{password}
> -option, and then once QEMU is running the password is set with the monitor. Until
> -the monitor is used to set the password all clients will be rejected.
> +or UNIX domain sockets. Password authentication is not supported when operating
> +in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
> +authentication is requested with the @code{password} option, and then once QEMU
> +is running the password is set with the monitor. Until the monitor is used to
> +set the password all clients will be rejected.
>
> @example
> qemu [...OPTIONS...] -vnc :1,password -monitor stdio
> diff --git a/ui/vnc.c b/ui/vnc.c
> index deb9ecd..6162425 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -32,6 +32,9 @@
> #include "acl.h"
> #include "qemu-objects.h"
> #include "qmp-commands.h"
> +#ifndef _WIN32
> +#include <syslog.h>
> +#endif
>
> #define VNC_REFRESH_INTERVAL_BASE 30
> #define VNC_REFRESH_INTERVAL_INC 50
> @@ -48,6 +51,27 @@ static DisplayChangeListener *dcl;
> static int vnc_cursor_define(VncState *vs);
> static void vnc_release_modifiers(VncState *vs);
>
> +static bool fips_enabled(void)
> +{
> + bool enabled = false;
> +
> +#ifdef __linux__
> + FILE *fds;
> + char value;
> +
> + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
> + if (fds == NULL) {
> + return false;
> + }
> + if (fread(&value, sizeof(value), 1, fds) == 1 && value == '1') {
> + enabled = true;
> + }
> + fclose(fds);
> +#endif /* __linux__ */
> +
> + return enabled;
> +}
> +
> static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
> {
> #ifdef _VNC_DEBUG
> @@ -2748,6 +2772,14 @@ void vnc_display_init(DisplayState *ds)
> dcl->idle = 1;
> vnc_display = vs;
>
> + vs->fips = fips_enabled();
> + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
> +#ifndef _WIN32
> + if (vs->fips) {
> + syslog(LOG_NOTICE, "Disabling VNC password auth due to FIPS mode\n");
> + }
> +#endif /* _WIN32 */
I really think this should only be done if a password is actually set.
With the code as it is, then every single time you launch a VM you're
going to get this message in syslog, which makes it appear as if something
is trying to illegally use passwords in FIPS mode. I feel this will cause
admins/auditors to be worried about something being wrong, when in fact
everything is normal.
> +
> vs->lsock = -1;
>
> vs->ds = ds;
> @@ -2892,6 +2924,13 @@ int vnc_display_open(DisplayState *ds, const char *display)
> while ((options = strchr(options, ','))) {
> options++;
> if (strncmp(options, "password", 8) == 0) {
> + if (vs->fips) {
> + fprintf(stderr,
> + "VNC password auth disabled due to FIPS mode\n");
> + g_free(vs->display);
> + vs->display = NULL;
> + return -1;
> + }
> password = 1; /* Require password auth */
> } else if (strncmp(options, "reverse", 7) == 0) {
> reverse = 1;
> diff --git a/ui/vnc.h b/ui/vnc.h
> index a851ebd..d41631b 100644
> --- a/ui/vnc.h
> +++ b/ui/vnc.h
> @@ -160,6 +160,7 @@ struct VncDisplay
> char *display;
> char *password;
> time_t expires;
> + bool fips;
> int auth;
> bool lossy;
> bool non_adaptive;
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2012-05-03 8:29 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-02 19:32 [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode Paul Moore
2012-05-03 8:29 ` Daniel P. Berrange [this message]
2012-05-03 8:51 ` Alexander Graf
2012-05-03 8:57 ` Daniel P. Berrange
2012-05-03 9:01 ` Alexander Graf
2012-05-03 9:03 ` Daniel P. Berrange
2012-05-03 9:06 ` Alexander Graf
2012-05-03 9:09 ` Daniel P. Berrange
2012-05-03 9:11 ` Alexander Graf
2012-05-03 20:58 ` Paul Moore
2012-05-03 9:04 ` Alexander Graf
2012-05-03 20:51 ` Paul Moore
2012-05-03 14:54 ` Alexander Graf
2012-05-03 20:54 ` Paul Moore
2012-05-04 2:01 ` Roman Drahtmueller
2012-05-04 12:39 ` Paul Moore
2012-05-04 12:42 ` Daniel P. Berrange
2012-06-03 0:55 ` Anthony Liguori
2012-06-04 18:16 ` Paul Moore
2012-06-04 23:11 ` Anthony Liguori
2012-06-04 23:17 ` Alexander Graf
2012-06-04 23:54 ` Anthony Liguori
2012-06-05 0:55 ` Alexander Graf
2012-06-05 1:03 ` Anthony Liguori
2012-06-05 1:08 ` Alexander Graf
2012-06-05 1:23 ` Anthony Liguori
2012-06-05 1:29 ` Alexander Graf
2012-06-05 7:23 ` Gerd Hoffmann
2012-06-05 21:45 ` Paul Moore
2012-06-05 21:51 ` Alexander Graf
2012-06-05 22:06 ` Paul Moore
2012-06-05 23:07 ` Anthony Liguori
2012-06-05 23:56 ` Alexander Graf
2012-06-06 22:56 ` Paul Moore
2012-06-07 3:10 ` Anthony Liguori
2012-06-07 10:31 ` Alexander Graf
2012-06-07 13:21 ` Paul Moore
2012-06-08 21:37 ` Paul Moore
2012-06-11 13:33 ` Roman Drahtmueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120503082915.GF24747@redhat.com \
--to=berrange@redhat.com \
--cc=pmoore@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).