#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include "trace.h"
#include "qemu_socket.h"
+static bool fips_enabled = false;
+
static const char *qemu_version = QEMU_VERSION;
int socket_set_cork(int fd, int v)
{
return qemu_version;
}
+
+void fips_set_state(bool requested)
+{
+#ifdef __linux__
+ if (requested) {
+ FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fds != NULL) {
+ fips_enabled = (fgetc(fds) == '1');
+ fclose(fds);
+ }
+ }
+#else
+ fips_enabled = false;
+#endif /* __linux__ */
+
+#ifdef _FIPS_DEBUG
+ fprintf(stderr, "FIPS mode %s (requested %s)\n",
+ (fips_enabled ? "enabled" : "disabled"),
+ (requested ? "enabled" : "disabled"));
+#endif
+}
+
+bool fips_get_state(void)
+{
+ return fips_enabled;
+}
#include <stdarg.h>
#include <stddef.h>
+#include <stdbool.h>
#ifdef __OpenBSD__
#include <sys/types.h>
#include <sys/signal.h>
void qemu_set_version(const char *);
const char *qemu_get_version(void);
+void fips_set_state(bool requested);
+bool fips_get_state(void);
+
#endif
to provide high security. The password can be fairly easily brute-forced by
a client making repeat connections. For this reason, a VNC server using password
authentication should be restricted to only listen on the loopback interface
-or UNIX domain sockets. Password authentication is requested with the @code{password}
-option, and then once QEMU is running the password is set with the monitor. Until
-the monitor is used to set the password all clients will be rejected.
+or UNIX domain sockets. Password authentication is not supported when operating
+in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
+authentication is requested with the @code{password} option, and then once QEMU
+is running the password is set with the monitor. Until the monitor is used to
+set the password all clients will be rejected.
@example
qemu-system-i386 [...OPTIONS...] -vnc :1,password -monitor stdio
"-qtest-log LOG specify tracing options\n",
QEMU_ARCH_ALL)
+#ifdef __linux__
+DEF("enable-fips", 0, QEMU_OPTION_enablefips,
+ "-enable-fips enable FIPS 140-2 compliance\n",
+ QEMU_ARCH_ALL)
+#endif
+STEXI
+@item -enable-fips
+@findex -enable-fips
+Enable FIPS 140-2 compliance mode.
+ETEXI
+
HXCOMM This is the last statement. Insert new options before this line!
STEXI
@end table
#include "acl.h"
#include "qemu-objects.h"
#include "qmp-commands.h"
+#include "osdep.h"
#define VNC_REFRESH_INTERVAL_BASE 30
#define VNC_REFRESH_INTERVAL_INC 50
while ((options = strchr(options, ','))) {
options++;
if (strncmp(options, "password", 8) == 0) {
+ if (fips_get_state()) {
+ fprintf(stderr,
+ "VNC password auth disabled due to FIPS mode, "
+ "consider using the VeNCrypt or SASL authentication "
+ "methods as an alternative\n");
+ g_free(vs->display);
+ vs->display = NULL;
+ return -1;
+ }
password = 1; /* Require password auth */
} else if (strncmp(options, "reverse", 7) == 0) {
reverse = 1;
#include "qemu-queue.h"
#include "cpus.h"
#include "arch_init.h"
+#include "osdep.h"
#include "ui/qemu-spice.h"
case QEMU_OPTION_qtest_log:
qtest_log = optarg;
break;
+ case QEMU_OPTION_enablefips:
+ fips_set_state(true);
+ break;
default:
os_parse_cmd_args(popt->index, optarg);
}