From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:59179)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SPMlY-0006aZ-FA
	for qemu-devel@nongnu.org; Tue, 01 May 2012 19:45:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SPMlW-0007ML-5F
	for qemu-devel@nongnu.org; Tue, 01 May 2012 19:45:55 -0400
Received: from mail-pb0-f45.google.com ([209.85.160.45]:49977)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SPMlV-0007M7-IQ
	for qemu-devel@nongnu.org; Tue, 01 May 2012 19:45:53 -0400
Received: by pbbro12 with SMTP id ro12so195626pbb.4
	for <qemu-devel@nongnu.org>; Tue, 01 May 2012 16:45:51 -0700 (PDT)
Message-ID: <4FA075AB.5000002@codemonkey.ws>
Date: Tue, 01 May 2012 18:45:47 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <20120501212040.27850.27184.stgit@sifl>
	<4FA0710D.9070900@codemonkey.ws>
	<OF147BC4EA.478FD40F-ON862579F1.0081078A-862579F1.00824EAB@us.ibm.com>
In-Reply-To: <OF147BC4EA.478FD40F-ON862579F1.0081078A-862579F1.00824EAB@us.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication
 (security type 2) when in FIPS mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: George Wilson <gcwilson@us.ibm.com>
Cc: Paul Moore <pmoore@redhat.com>, qemu-devel@nongnu.org

On 05/01/2012 06:43 PM, George Wilson wrote:
>
> Anthony Liguori<anthony@codemonkey.ws>  wrote on 05/01/2012 06:26:05 PM:
>
>> Anthony Liguori<anthony@codemonkey.ws>
>> 05/01/2012 06:26 PM
>>
>> To
>>
>> Paul Moore<pmoore@redhat.com>
>>
>> cc
>>
>> qemu-devel@nongnu.org, George Wilson/Austin/IBM@IBMUS
>>
>> Subject
>>
>> Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication
>> (security type 2) when in FIPS mode
>>
>> On 05/01/2012 04:20 PM, Paul Moore wrote:
>>> FIPS 140-2 requires disabling certain ciphers, including DES, which is
> used
>>> by VNC to obscure passwords when they are sent over the network.  The
>>> solution for FIPS users is to disable the use of VNC password auth when
> the
>>> host system is operating in FIPS mode.
>>
>> Sorry, what?
>>
>> Does FIPS really require software to detect when FIPS is enabled
> andactively
>> disable features???  That's absurd.
>>
>> Can you point to another software package that does something like this?
>
> Yes, it's true that only FIPS-approved algorithms are permitted for use in
> FIPS
> mode.  The kernel and all other FIPS 140-2 validated crypto modules like
> OpenSSL
> and NSS are required to restrict algorithms to the approved set.  The
> kernel
> sets /proc/sys/crypto/fips_enabled so that programs can detect FIPS mode
> and
> behave in accordance with the standard.

But this is nonsensical. It would allow no-password to be configured for the VNC 
server but not DES?  Why is that okay?  It's not like we enable DES passwords by 
default.  A user has to explicitly configure it.

Is there an open source app that actually keys off of fips_enabled?

Regards,

Anthony Liguori

>
>>
>> Regards,
>>
>> Anthony Liguori
>>
>>>
>>> This patch causes qemu to emits a syslog entry indicating that VNC
> password
>>> auth is disabled when it detects the host is running in FIPS mode, and
>>> unless a VNC password was specified on the command line it continues
>>> normally.  However, if a VNC password was given on the command line,
> qemu
>>> fails with an error message to stderr explaining that that VNC password
>>> auth is not allowed in FIPS mode.
>>>
>>> Signed-off-by: Paul Moore<pmoore@redhat.com>
>>> ---
>>>    qemu-doc.texi |    8 +++++---
>>>    ui/vnc.c      |   32 ++++++++++++++++++++++++++++++++
>>>    ui/vnc.h      |    1 +
>>>    3 files changed, 38 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/qemu-doc.texi b/qemu-doc.texi
>>> index e5d7ac4..f9b113e 100644
>>> --- a/qemu-doc.texi
>>> +++ b/qemu-doc.texi
>>> @@ -1124,9 +1124,11 @@ the protocol limits passwords to 8
>> characters it should not be considered
>>>    to provide high security. The password can be fairly easily
>> brute-forced by
>>>    a client making repeat connections. For this reason, a VNC
>> server using password
>>>    authentication should be restricted to only listen on the
>> loopback interface
>>> -or UNIX domain sockets. Password authentication is requested with
>> the @code{password}
>>> -option, and then once QEMU is running the password is set with
>> the monitor. Until
>>> -the monitor is used to set the password all clients will be rejected.
>>> +or UNIX domain sockets. Password authentication is not supported
>> when operating
>>> +in FIPS 140-2 compliance mode as it requires the use of the DES
>> cipher. Password
>>> +authentication is requested with the @code{password} option, and
>> then once QEMU
>>> +is running the password is set with the monitor. Until the
>> monitor is used to
>>> +set the password all clients will be rejected.
>>>
>>>    @example
>>>    qemu [...OPTIONS...] -vnc :1,password -monitor stdio
>>> diff --git a/ui/vnc.c b/ui/vnc.c
>>> index deb9ecd..620791e 100644
>>> --- a/ui/vnc.c
>>> +++ b/ui/vnc.c
>>> @@ -32,6 +32,7 @@
>>>    #include "acl.h"
>>>    #include "qemu-objects.h"
>>>    #include "qmp-commands.h"
>>> +#include<syslog.h>
>>>
>>>    #define VNC_REFRESH_INTERVAL_BASE 30
>>>    #define VNC_REFRESH_INTERVAL_INC  50
>>> @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl;
>>>    static int vnc_cursor_define(VncState *vs);
>>>    static void vnc_release_modifiers(VncState *vs);
>>>
>>> +static int fips_enabled(void)
>>> +{
>>> +    int enabled = 0;
>>> +    char value;
>>> +    FILE *fds;
>>> +
>>> +    fds = fopen("/proc/sys/crypto/fips_enabled", "r");
>>> +    if (fds == NULL) {
>>> +        return 0;
>>> +    }
>>> +    if (fread(&value, sizeof(value), 1, fds) == 1&&   value == '1') {
>>> +        enabled = 1;
>>> +    }
>>> +    fclose(fds);
>>> +
>>> +    return enabled;
>>> +}
>>> +
>>>    static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
>>>    {
>>>    #ifdef _VNC_DEBUG
>>> @@ -2748,6 +2767,12 @@ void vnc_display_init(DisplayState *ds)
>>>        dcl->idle = 1;
>>>        vnc_display = vs;
>>>
>>> +    vs->fips = fips_enabled();
>>> +    VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled"));
>>> +    if (vs->fips) {
>>> +        syslog(LOG_NOTICE, "Disabling VNC password auth due to
>> FIPS mode\n");
>>> +    }
>>> +
>>>        vs->lsock = -1;
>>>
>>>        vs->ds = ds;
>>> @@ -2892,6 +2917,13 @@ int vnc_display_open(DisplayState *ds,
>> const char *display)
>>>        while ((options = strchr(options, ','))) {
>>>            options++;
>>>            if (strncmp(options, "password", 8) == 0) {
>>> +            if (vs->fips) {
>>> +                fprintf(stderr,
>>> +                        "VNC password auth disabled due to FIPS mode
> \n");
>>> +                g_free(vs->display);
>>> +                vs->display = NULL;
>>> +                return -1;
>>> +            }
>>>                password = 1; /* Require password auth */
>>>            } else if (strncmp(options, "reverse", 7) == 0) {
>>>                reverse = 1;
>>> diff --git a/ui/vnc.h b/ui/vnc.h
>>> index a851ebd..8746a98 100644
>>> --- a/ui/vnc.h
>>> +++ b/ui/vnc.h
>>> @@ -160,6 +160,7 @@ struct VncDisplay
>>>        char *display;
>>>        char *password;
>>>        time_t expires;
>>> +    int fips;
>>>        int auth;
>>>        bool lossy;
>>>        bool non_adaptive;
>>>
>>>
>>>
>>
>
> Regards,
> George Wilson