From 8a8dc925d6cdb62aba736eb1551195551e09271b Mon Sep 17 00:00:00 2001 Message-Id: <8a8dc925d6cdb62aba736eb1551195551e09271b.1366117835.git.minovotn@redhat.com> From: Paul Moore Date: Fri, 10 Aug 2012 21:04:17 +0200 Subject: [PATCH 01/19] vnc: disable VNC password authentication (security type 2) when in FIPS mode RH-Author: Paul Moore Message-id: <20120810210417.26916.53804.stgit@sifl> Patchwork-id: 40692 O-Subject: [RHEL6.4 qemu-kvm PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode Bugzilla: 817066 RH-Acked-by: Laszlo Ersek RH-Acked-by: Gleb Natapov RH-Acked-by: Daniel P. Berrange Upstream: 0f66998ff6d5d2133b9b08471a44e13b11119e50 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=817066 Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=4742727 FIPS 140-2 requires disabling certain ciphers, including DES, which is used by VNC to obscure passwords when they are sent over the network. The solution for FIPS users is to disable the use of VNC password auth when the host system is operating in FIPS compliance mode. This patch diverges slightly from the upstream patch merged on August 3rd, 2012 as we do away with the need for the "-enable-fips" command line option and enter FIPS compliance mode automatically when the host kernel has been booted into FIPS compliance mode. This patch causes QEMU to emit a message to stderr when the host system is running in FIPS mode and a VNC password was specified on the commend line. If the system is not running in FIPS mode, or is running in FIPS mode but VNC password authentication was not requested, QEMU operates normally. Signed-off-by: Paul Moore --- osdep.c | 30 ++++++++++++++++++++++++++++++ osdep.h | 4 ++++ qemu-doc.texi | 8 +++++--- vl.c | 1 + vnc.c | 10 ++++++++++ 5 files changed, 50 insertions(+), 3 deletions(-) Signed-off-by: Michal Novotny --- osdep.c | 30 ++++++++++++++++++++++++++++++ osdep.h | 4 ++++ qemu-doc.texi | 8 +++++--- vl.c | 1 + vnc.c | 10 ++++++++++ 5 files changed, 50 insertions(+), 3 deletions(-) diff --git a/osdep.c b/osdep.c index e71a8b8..8d16dbb 100644 --- a/osdep.c +++ b/osdep.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -49,6 +50,8 @@ #include "sysemu.h" #include "qemu_socket.h" +static bool fips_enabled = false; + #if !defined(_POSIX_C_SOURCE) || defined(_WIN32) || defined(__sun__) static void *oom_check(void *ptr) { @@ -381,3 +384,30 @@ int qemu_accept(int s, struct sockaddr *addr, socklen_t *addrlen) return ret; } + +void fips_set_state(bool requested) +{ +#ifdef __linux__ + if (requested) { + FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r"); + if (fds != NULL) { + fips_enabled = (fgetc(fds) == '1'); + fclose(fds); + } + } +#else + fips_enabled = false; +#endif /* __linux__ */ + +#ifdef _FIPS_DEBUG + fprintf(stderr, "FIPS mode %s (requested %s)\n", + (fips_enabled ? "enabled" : "disabled"), + (requested ? "enabled" : "disabled")); +#endif +} + +bool fips_get_state(void) +{ + return fips_enabled; +} + diff --git a/osdep.h b/osdep.h index 46ca087..e1b108c 100644 --- a/osdep.h +++ b/osdep.h @@ -3,6 +3,7 @@ #include #include +#include #ifdef __OpenBSD__ #include #include @@ -113,4 +114,7 @@ typedef struct timeval qemu_timeval; #define qemu_gettimeofday(tp) gettimeofday(tp, NULL); #endif /* !_WIN32 */ +void fips_set_state(bool requested); +bool fips_get_state(void); + #endif diff --git a/qemu-doc.texi b/qemu-doc.texi index 366d73c..021a12b 100644 --- a/qemu-doc.texi +++ b/qemu-doc.texi @@ -856,9 +856,11 @@ the protocol limits passwords to 8 characters it should not be considered to provide high security. The password can be fairly easily brute-forced by a client making repeat connections. For this reason, a VNC server using password authentication should be restricted to only listen on the loopback interface -or UNIX domain sockets. Password authentication is requested with the @code{password} -option, and then once QEMU is running the password is set with the monitor. Until -the monitor is used to set the password all clients will be rejected. +or UNIX domain sockets. Password authentication is not supported when operating +in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password +authentication is requested with the @code{password} option, and then once QEMU +is running the password is set with the monitor. Until the monitor is used to +set the password all clients will be rejected. @example qemu [...OPTIONS...] -vnc :1,password -monitor stdio diff --git a/vl.c b/vl.c index 54ce663..163298d 100644 --- a/vl.c +++ b/vl.c @@ -6007,6 +6007,7 @@ int main(int argc, char **argv, char **envp) } } } + fips_set_state(true); loc_set_none(); /* If no data_dir is specified then try to find it relative to the diff --git a/vnc.c b/vnc.c index 0a2ee28..61a4def 100644 --- a/vnc.c +++ b/vnc.c @@ -37,6 +37,7 @@ #include "vnc_keysym.h" #include "d3des.h" +#include "osdep.h" #define count_bits(c, v) { \ for (c = 0; v; v >>= 1) \ @@ -2675,6 +2676,15 @@ int vnc_display_open(DisplayState *ds, const char *display) while ((options = strchr(options, ','))) { options++; if (strncmp(options, "password", 8) == 0) { + if (fips_get_state()) { + fprintf(stderr, + "VNC password auth disabled due to FIPS mode, " + "consider using the VeNCrypt or SASL authentication " + "methods as an alternative\n"); + qemu_free(vs->display); + vs->display = NULL; + return -1; + } password = 1; /* Require password auth */ } else if (strncmp(options, "reverse", 7) == 0) { reverse = 1; -- 1.7.11.7