Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode

[Roman Drahtmueller]

> > > FIPS 140-2 requires disabling certain ciphers, including DES, which is
> > > used
> > > by VNC to obscure passwords when they are sent over the network.  The
> > > solution for FIPS users is to disable the use of VNC password auth when
> > > the
> > > host system is operating in FIPS mode.
> > > 
> > > This patch causes qemu to emit a syslog entry indicating that VNC password
> > > auth is disabled when it detects the host is running in FIPS mode, and
> > > unless a VNC password was specified on the command line it continues
> > > normally.  However, if a VNC password was given on the command line, qemu
> > > fails with an error message to stderr explaining that VNC password auth is
> > > not allowed in FIPS mode.
> > 
> > I just talked to Roman about this one and he had some comments :)
> 
> I'm sure he did :)

*g* Thanks, Alex! :)

The purpose makes perfect sense, I think.

Some small glitch, though:

fips=1 on the kernel commandline turns on fips mode in the kernel crypto, 
and leaves "1" in /proc/sys/crypto/fips_enabled for userland to consume.
openssl starts up, reads the file and runs its fips initialization with 
"1" in the file. Typically...

Two problems:
1) openssl may not come with FIPS support. proc file is ignored.
2) openssl may run in FIPS mode for reasons other than fips=1 on the 
   kernel cmdline (environment, ...).

Suggested way to handle this:

1) compile-time check if <openssl/fips.h> exists.
   Ignore fips specifics if not, otherwise:
2) use int FIPS_mode(void) for what it's there:

#ifdef _QEMU_FIPS               /* or whatever */
#include <openssl/fips.h>
  vs->fips = FIPS_mode();
#endif
 
and skip fips_enabled(void).

Much easier!

> paul moore
> security and virtualization @ redhat

Thanks, 
Roman. (don't know if list is subscribers-post only)