Bug 1461450
Summary: | Corosync hangs on secauth with FIPS enabled | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Radek Steiger <rsteiger> | |
Component: | corosync | Assignee: | Jan Friesse <jfriesse> | |
Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.4 | CC: | ccaulfie, cfeist, cluster-maint, jruemker, mnovacek, nbarcet | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | corosync-2.4.0-10.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Previously, when the corosync service had encryption enabled and was running in an environment with FIPS kernel mode activated, corosync terminated unexpectedly after starting. A patch has been applied to load a symmetric key that works when FIPS kernel mode is activated, and the described problem no longer occurs.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1484264 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 16:52:19 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1484264 | |||
Attachments: |
Description
Radek Steiger
2017-06-14 13:14:42 UTC
Created attachment 1287687 [details]
Propagate error from totemcrypto layer to upper layers
Nice catch. Fixing 100% CPU load/coredump is easy (see proposed patch). Fixing corosync to work in FIPS environment with encryption enabled seems to be much harder. It looks like FIPS really doesn't support importing symmetric keys. I'll work on documenting broken FIPS mode with current/prior releases. I guess it makes sense to treat this like a regular bug (for knowledgebase purposes at least) rather than a support policy/limitation, as treating it like a bug would allow us some room to request backporting to EUS streams if any customers hit this. That's opposed to stating something like "Red Hat supports FIPS mode for corosync starting with corosync-v-r.el7", as that might limit customers or support engineers from trying to find solutions for past releases. Created attachment 1290952 [details]
totemcrypto: Refactor symmetric key importing
totemcrypto: Refactor symmetric key importing
Signed-off-by: Jan Friesse <jfriesse>
Reviewed-by: Fabio M. Di Nitto <fdinitto>
Reviewed-by: Christine Caulfield <ccaulfie>
Created attachment 1290953 [details]
totemcrypto: Use different method to import key
totemcrypto: Use different method to import key
PK11_ImportSymKey doesn't work when FIPS is enabled because NSS is
targeting to FIPS Level 2 where loading of unencrypted symmetric
key is prohibited.
FIPS Level 2 is hard to achieve without breaking compatibility so patch
implements "workaround" to make NSS behave like FIPS Level 1
(where is allowed to load unencrypted symmetric key).
Workaround is about using temporal key to encrypt corosync authkey in
memory and then to unwrap it into valid NSS key.
Signed-off-by: Jan Friesse <jfriesse>
Reviewed-by: Fabio M. Di Nitto <fdinitto>
Reviewed-by: Christine Caulfield <ccaulfie>
"Unit test" is https://github.com/corosync/corosync/pull/224 I've also tested qnetd + qdevice-net behavior when FIPS enabled and everything was working as expected. Created attachment 1307553 [details]
Fix compiler warnings
@John: copy/pasting Tomáš Mráz response when we were trying to find out RHEL support of FIPS: > Tomas, if we want to be FIPS 140-2 Level 2 certified is there any way > for > us to have a shared key between all nodes in a cluster that survives > reboots (without the user entering a passphrase)? > > Do you know if we (RHEL HA) need to be FIPS 140-2 Level 2 certified > (or who > would be able answer that question within Red Hat)? No, FIPS 140-2 Level 2 validation is unnecessary and basically you cannot achieve it currently. We do not do FIPS validation at Level 2 at all. So we should be straight there and not announce level-2. I have verified that our minimal regression tests pass with 'fips=1' enabled and corosync-2.4.3-1. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0920 |