[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (secur
From: |
Andreas Färber |
Subject: |
Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode |
Date: |
Wed, 02 May 2012 00:54:21 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120421 Thunderbird/12.0 |
Am 01.05.2012 23:20, schrieb Paul Moore:
> FIPS 140-2 requires disabling certain ciphers, including DES, which is used
> by VNC to obscure passwords when they are sent over the network. The
> solution for FIPS users is to disable the use of VNC password auth when the
> host system is operating in FIPS mode.
>
> This patch causes qemu to emits a syslog entry indicating that VNC password
"to emit"
> auth is disabled when it detects the host is running in FIPS mode, and
> unless a VNC password was specified on the command line it continues
> normally. However, if a VNC password was given on the command line, qemu
> fails with an error message to stderr explaining that that VNC password
"explaining that VNC"
> auth is not allowed in FIPS mode.
>
> Signed-off-by: Paul Moore <address@hidden>
Interesting feature. :)
> diff --git a/ui/vnc.c b/ui/vnc.c
> index deb9ecd..620791e 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -32,6 +32,7 @@
> #include "acl.h"
> #include "qemu-objects.h"
> #include "qmp-commands.h"
> +#include <syslog.h>
syslog.h is POSIX, but it'll need a guard for mingw32.
> @@ -48,6 +49,24 @@ static DisplayChangeListener *dcl;
> static int vnc_cursor_define(VncState *vs);
> static void vnc_release_modifiers(VncState *vs);
>
> +static int fips_enabled(void)
> +{
> + int enabled = 0;
> + char value;
> + FILE *fds;
> +
> + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
How standardized is this? Should we limit this to __linux__ or something?
> + if (fds == NULL) {
> + return 0;
> + }
> + if (fread(&value, sizeof(value), 1, fds) == 1 && value == '1') {
> + enabled = 1;
> + }
> + fclose(fds);
> +
> + return enabled;
> +}
bool would seem nicer as return type and field type below.
Andreas
> +
> static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
> {
> #ifdef _VNC_DEBUG
> diff --git a/ui/vnc.h b/ui/vnc.h
> index a851ebd..8746a98 100644
> --- a/ui/vnc.h
> +++ b/ui/vnc.h
> @@ -160,6 +160,7 @@ struct VncDisplay
> char *display;
> char *password;
> time_t expires;
> + int fips;
> int auth;
> bool lossy;
> bool non_adaptive;
--
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg