[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (secur
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH] vnc: disable VNC password authentication (security type 2) when in FIPS mode |
Date: |
Wed, 2 May 2012 12:05:06 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Wed, May 02, 2012 at 12:28:02PM +0200, Christoph Hellwig wrote:
> On Wed, May 02, 2012 at 12:54:21AM +0200, Andreas F??rber wrote:
> > > + fds = fopen("/proc/sys/crypto/fips_enabled", "r");
> >
> > How standardized is this? Should we limit this to __linux__ or something?
>
> It's completelt non-standard and doesn't even exist in mainline Linux.
>
> All the FIPS bullshit is a RHEL-private feature, which is where this patch
> should stay as well.
You really should check your facts before making such grand assertions
that are trivially disprovable
It *is* in the mainline kernel:
$ wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.3.4.tar.bz2
$ tar jxvf linux-3.3.4.tar.bz2
$ cd linux-3.3.4
$ find | grep -i fips
./crypto/fips.c
./include/linux/fips.h
$ find -type f | xargs grep fips_enabled
./drivers/char/random.c: if (fips_enabled) {
./crypto/fips.c:int fips_enabled;
./crypto/fips.c:EXPORT_SYMBOL_GPL(fips_enabled);
./crypto/fips.c: fips_enabled = !!simple_strtol(str, NULL, 0);
./crypto/fips.c: fips_enabled ? "enabled" : "disabled");
./crypto/tcrypt.c: if (fips_enabled && ret == -EINVAL)
./crypto/tcrypt.c: if (!fips_enabled)
./crypto/testmgr.c: if (fips_enabled &&
!alg_test_descs[i].fips_allowed)
./crypto/testmgr.c: if (fips_enabled && ((i >= 0 &&
!alg_test_descs[i].fips_allowed) ||
./crypto/testmgr.c: if (fips_enabled && rc)
./crypto/testmgr.c: if (fips_enabled && !rc)
./crypto/proc.c: .procname = "fips_enabled",
./crypto/proc.c: .data = &fips_enabled,
./include/linux/fips.h:extern int fips_enabled;
./include/linux/fips.h:#define fips_enabled 0
It is *not* solely "RHEL bullshit":
$ cat /etc/fedora-release
Fedora release 17 (Beefy Miracle)
$ rpm -qf /lib64/libfipscheck.so.1
fipscheck-lib-1.3.0-3.fc17.x86_64
It *is* in all upstream crypto libraries:
# wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2
# tar jxvf libgcrypt-1.5.0.tar.bz2
# cd libgcrypt-1.5.0
# find | grep fips
./random/random-fips.c
./src/fips.c
./tests/fips186-dsa.c
./tests/fipsdrv.c
./doc/fips-fsm.pdf
./doc/fips-fsm.fig
./doc/fips-fsm.png
./doc/fips-fsm.eps
# wget http://www.openssl.org/source/openssl-1.0.1b.tar.gz
# tar zxvf openssl-1.0.1b.tar.gz
# cd openssl-1.0.1b
# find | grep fips
./test/testfipsssl
./crypto/dsa/fips186a.txt
./crypto/o_fips.c
./crypto/evp/evp_fips.c
./crypto/fips_err.h
./crypto/fips_ers.c
# wget
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_13_4_RTM/src/nss-3.13.4.tar.gz
# tar zxvf nss-3.13.4.tar.gz
# cd nss-3.13.4
# find | grep fips
./mozilla/security/nss/lib/softoken/fipsaudt.c
./mozilla/security/nss/lib/softoken/fipstest.c
./mozilla/security/nss/lib/softoken/fipstokn.c
./mozilla/security/nss/tests/fips
./mozilla/security/nss/tests/fips/fips.sh
./mozilla/security/nss/cmd/fipstest
./mozilla/security/nss/cmd/fipstest/dsa.sh
./mozilla/security/nss/cmd/fipstest/rsa.sh
./mozilla/security/nss/cmd/fipstest/manifest.mn
./mozilla/security/nss/cmd/fipstest/rng.sh
./mozilla/security/nss/cmd/fipstest/fipstest.c
./mozilla/security/nss/cmd/fipstest/sha.sh
./mozilla/security/nss/cmd/fipstest/hmac.sh
./mozilla/security/nss/cmd/fipstest/tdea.sh
./mozilla/security/nss/cmd/fipstest/Makefile
./mozilla/security/nss/cmd/fipstest/ecdsa.sh
./mozilla/security/nss/cmd/fipstest/aes.sh
And fully documented by upstreams too
http://www.gnupg.org/documentation/manuals/gcrypt/Enabling-FIPS-mode.html
https://www.mozilla.org/projects/security/pki/nss/fips/
http://www.openssl.org/docs/fips/fipsnotes.html
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|