On 12/16/2013 01:46 AM, Peter Krempa wrote:
> On 12/13/13 19:51, Eric Blake wrote:
>> On a system that is enforcing FIPS, most libraries honor the
>> current mode by default. Qemu, on the other hand, refused to
>> honor FIPS mode unless you add the '-enable-fips' command
>> line option; worse, this option is not discoverable via QMP,
>> and is only present on binaries built for Linux. So, if we
>> detect FIPS mode, then we unconditionally ask for FIPS; either
>> qemu is new enough to have the option and then correctly
>> cripple insecure VNC passwords, or it is so old that we are
>> correctly avoiding a FIPS violation by preventing qemu from
>> starting. Meanwhile, if we don't detect FIPS mode, then
>> omitting the argument is safe whether the qemu has the option
>> (but it would do nothing because FIPS is disabled) or whether
>> qemu lacks the option (including in the case where we are not
>> running on Linux).
>>
>> + if (virFileExists("/proc/sys/crypto/fips_enabled")) {
>> + char buf[sizeof("1\n")];
>
> No need for the above buffer as virFileReadAll actually allocates the
> buffer itself.
D'oh. Version 3 coming up.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list