diff options
author | Paul Moore <pmoore@redhat.com> | 2012-08-03 14:39:21 -0400 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2012-08-03 14:28:40 -0500 |
commit | 0f66998ff6d5d2133b9b08471a44e13b11119e50 (patch) | |
tree | 498ceec7d881257c2564998762cd635014c51e8d /ui/vnc.c | |
parent | 2ad728bd4bf26d8144190ca87d5d36d5f33cfae9 (diff) |
vnc: disable VNC password authentication (security type 2) when in FIPS mode
FIPS 140-2 requires disabling certain ciphers, including DES, which is used
by VNC to obscure passwords when they are sent over the network. The
solution for FIPS users is to disable the use of VNC password auth when the
host system is operating in FIPS compliance mode and the user has specified
'-enable-fips' on the QEMU command line.
This patch causes QEMU to emit a message to stderr when the host system is
running in FIPS mode and a VNC password was specified on the commend line.
If the system is not running in FIPS mode, or is running in FIPS mode but
VNC password authentication was not requested, QEMU operates normally.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'ui/vnc.c')
-rw-r--r-- | ui/vnc.c | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -32,6 +32,7 @@ #include "acl.h" #include "qemu-objects.h" #include "qmp-commands.h" +#include "osdep.h" #define VNC_REFRESH_INTERVAL_BASE 30 #define VNC_REFRESH_INTERVAL_INC 50 @@ -2875,6 +2876,15 @@ int vnc_display_open(DisplayState *ds, const char *display) while ((options = strchr(options, ','))) { options++; if (strncmp(options, "password", 8) == 0) { + if (fips_get_state()) { + fprintf(stderr, + "VNC password auth disabled due to FIPS mode, " + "consider using the VeNCrypt or SASL authentication " + "methods as an alternative\n"); + g_free(vs->display); + vs->display = NULL; + return -1; + } password = 1; /* Require password auth */ } else if (strncmp(options, "reverse", 7) == 0) { reverse = 1; |