Anthony Liguori <anth...@codemonkey.ws> wrote on 05/01/2012 06:45:47 PM:
> Anthony Liguori <anth...@codemonkey.ws> > 05/01/2012 06:45 PM > > To > > George Wilson/Austin/IBM@IBMUS > > cc > > Paul Moore <pmo...@redhat.com>, qemu-devel@nongnu.org > > Subject > > Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication > (security type 2) when in FIPS mode > > On 05/01/2012 06:43 PM, George Wilson wrote: > > > > Anthony Liguori<anth...@codemonkey.ws> wrote on 05/01/2012 06:26:05 PM: > > > >> Anthony Liguori<anth...@codemonkey.ws> > >> 05/01/2012 06:26 PM > >> > >> To > >> > >> Paul Moore<pmo...@redhat.com> > >> > >> cc > >> > >> qemu-devel@nongnu.org, George Wilson/Austin/IBM@IBMUS > >> > >> Subject > >> > >> Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication > >> (security type 2) when in FIPS mode > >> > >> On 05/01/2012 04:20 PM, Paul Moore wrote: > >>> FIPS 140-2 requires disabling certain ciphers, including DES, which is > > used > >>> by VNC to obscure passwords when they are sent over the network. The > >>> solution for FIPS users is to disable the use of VNC password auth when > > the > >>> host system is operating in FIPS mode. > >> > >> Sorry, what? > >> > >> Does FIPS really require software to detect when FIPS is enabled > > andactively > >> disable features??? That's absurd. > >> > >> Can you point to another software package that does something like this? > > > > Yes, it's true that only FIPS-approved algorithms are permitted for use in > > FIPS > > mode. The kernel and all other FIPS 140-2 validated crypto modules like > > OpenSSL > > and NSS are required to restrict algorithms to the approved set. The > > kernel > > sets /proc/sys/crypto/fips_enabled so that programs can detect FIPS mode > > and > > behave in accordance with the standard. > > But this is nonsensical. It would allow no-password to be configured > for the VNC > server but not DES? Why is that okay? It's not like we enable DES > passwords by > default. A user has to explicitly configure it. Because the standard says so :-) If you're going to encrypt and need to be FIPS 140-2 compliant, choose a FIPS-approved algorithm like AES. And adhere to approved key sizes and modes. And make sure the algorithm does self tests. And so on. It's best call into a FIPS-compliant library. If the passwords are sent over an untrusted network, it's not OK not to encrypt them from a security POV. > > Is there an open source app that actually keys off of fips_enabled? libgcrypt is one example: $strings /lib64/libgcrypt.so.11.5.3 | grep fips_enabled /etc/gcrypt/fips_enabled /proc/sys/crypto/fips_enabled info libgcrypt has some details on FIPS mode. > > Regards, > > Anthony Liguori > > > > >> > >> Regards, > >> > >> Anthony Liguori > >> > >>> > >>> This patch causes qemu to emits a syslog entry indicating that VNC > > password > >>> auth is disabled when it detects the host is running in FIPS mode, and > >>> unless a VNC password was specified on the command line it continues > >>> normally. However, if a VNC password was given on the command line, > > qemu > >>> fails with an error message to stderr explaining that that VNC password > >>> auth is not allowed in FIPS mode. > >>> > >>> Signed-off-by: Paul Moore<pmo...@redhat.com> > >>> --- > >>> qemu-doc.texi | 8 +++++--- > >>> ui/vnc.c | 32 ++++++++++++++++++++++++++++++++ > >>> ui/vnc.h | 1 + > >>> 3 files changed, 38 insertions(+), 3 deletions(-) > >>> > >>> diff --git a/qemu-doc.texi b/qemu-doc.texi > >>> index e5d7ac4..f9b113e 100644 > >>> --- a/qemu-doc.texi > >>> +++ b/qemu-doc.texi > >>> @@ -1124,9 +1124,11 @@ the protocol limits passwords to 8 > >> characters it should not be considered > >>> to provide high security. The password can be fairly easily > >> brute-forced by > >>> a client making repeat connections. For this reason, a VNC > >> server using password > >>> authentication should be restricted to only listen on the > >> loopback interface > >>> -or UNIX domain sockets. Password authentication is requested with > >> the @code{password} > >>> -option, and then once QEMU is running the password is set with > >> the monitor. Until > >>> -the monitor is used to set the password all clients will be rejected. > >>> +or UNIX domain sockets. Password authentication is not supported > >> when operating > >>> +in FIPS 140-2 compliance mode as it requires the use of the DES > >> cipher. Password > >>> +authentication is requested with the @code{password} option, and > >> then once QEMU > >>> +is running the password is set with the monitor. Until the > >> monitor is used to > >>> +set the password all clients will be rejected. > >>> > >>> @example > >>> qemu [...OPTIONS...] -vnc :1,password -monitor stdio > >>> diff --git a/ui/vnc.c b/ui/vnc.c > >>> index deb9ecd..620791e 100644 > >>> --- a/ui/vnc.c > >>> +++ b/ui/vnc.c > >>> @@ -32,6 +32,7 @@ > >>> #include "acl.h" > >>> #include "qemu-objects.h" > >>> #include "qmp-commands.h" > >>> +#include<syslog.h> > >>> > >>> #define VNC_REFRESH_INTERVAL_BASE 30 > >>> #define VNC_REFRESH_INTERVAL_INC 50 > >>> @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl; > >>> static int vnc_cursor_define(VncState *vs); > >>> static void vnc_release_modifiers(VncState *vs); > >>> > >>> +static int fips_enabled(void) > >>> +{ > >>> + int enabled = 0; > >>> + char value; > >>> + FILE *fds; > >>> + > >>> + fds = fopen("/proc/sys/crypto/fips_enabled", "r"); > >>> + if (fds == NULL) { > >>> + return 0; > >>> + } > >>> + if (fread(&value, sizeof(value), 1, fds) == 1&& value == '1') { > >>> + enabled = 1; > >>> + } > >>> + fclose(fds); > >>> + > >>> + return enabled; > >>> +} > >>> + > >>> static void vnc_set_share_mode(VncState *vs, VncShareMode mode) > >>> { > >>> #ifdef _VNC_DEBUG > >>> @@ -2748,6 +2767,12 @@ void vnc_display_init(DisplayState *ds) > >>> dcl->idle = 1; > >>> vnc_display = vs; > >>> > >>> + vs->fips = fips_enabled(); > >>> + VNC_DEBUG("FIPS mode %s\n", (vs->fips ? "enabled" : "disabled")); > >>> + if (vs->fips) { > >>> + syslog(LOG_NOTICE, "Disabling VNC password auth due to > >> FIPS mode\n"); > >>> + } > >>> + > >>> vs->lsock = -1; > >>> > >>> vs->ds = ds; > >>> @@ -2892,6 +2917,13 @@ int vnc_display_open(DisplayState *ds, > >> const char *display) > >>> while ((options = strchr(options, ','))) { > >>> options++; > >>> if (strncmp(options, "password", 8) == 0) { > >>> + if (vs->fips) { > >>> + fprintf(stderr, > >>> + "VNC password auth disabled due to FIPS mode > > \n"); > >>> + g_free(vs->display); > >>> + vs->display = NULL; > >>> + return -1; > >>> + } > >>> password = 1; /* Require password auth */ > >>> } else if (strncmp(options, "reverse", 7) == 0) { > >>> reverse = 1; > >>> diff --git a/ui/vnc.h b/ui/vnc.h > >>> index a851ebd..8746a98 100644 > >>> --- a/ui/vnc.h > >>> +++ b/ui/vnc.h > >>> @@ -160,6 +160,7 @@ struct VncDisplay > >>> char *display; > >>> char *password; > >>> time_t expires; > >>> + int fips; > >>> int auth; > >>> bool lossy; > >>> bool non_adaptive; > >>> > >>> > >>> > >> > > > > Regards, > > George Wilson > Regards, George Wilson