Bug 1484264

Summary: Corosync hangs on secauth with FIPS enabled [rhel-7.4.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: corosyncAssignee: Jan Friesse <jfriesse>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.4CC: ccaulfie, cfeist, cluster-maint, igkioka, jfriesse, jruemker, mjuricek, mnovacek, nbarcet, rsteiger
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: corosync-2.4.0-9.el7_4.2 Doc Type: Bug Fix
Doc Text:
Previously, when the corosync service had encryption enabled and was running in an environment with FIPS kernel mode activated, corosync terminated unexpectedly after starting. A patch has been applied to load a symmetric key that works when FIPS kernel mode is activated, and the described problem no longer occurs.
 Story Points: ---
Clone Of: 1461450 Environment:
Last Closed: 2017-09-05 11:24:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1461450    
Bug Blocks:    
Attachments:
Description Flags
7.4.z-bz1484264-1-totem-Propagate-totem-initialization-failure
none
7.4.z-bz1484264-2-totemcrypto-Refactor-symmetric-key-importing
none
7.4.z-bz1484264-3-totemcrypto-Use-different-method-to-import-key
none
7.4.z-bz1484264-4-totemcrypto-Fix-compiler-warning none

Description Oneata Mircea Teodor 2017-08-23 07:20:18 UTC 
This bug has been copied from bug #1461450 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 2 Jan Friesse 2017-08-24 07:58:44 UTC 
Created attachment 1317477 [details]
7.4.z-bz1484264-1-totem-Propagate-totem-initialization-failure

totem: Propagate totem initialization failure

(backported from master 564b4bf7d4c5b3f632a48610761dce58e5809b3a)

Signed-off-by: Jan Friesse <jfriesse>
Reviewed-by: Christine Caulfield <ccaulfie>
Comment 3 Jan Friesse 2017-08-24 07:58:50 UTC 
Created attachment 1317478 [details]
7.4.z-bz1484264-2-totemcrypto-Refactor-symmetric-key-importing

totemcrypto: Refactor symmetric key importing

Signed-off-by: Jan Friesse <jfriesse>
Reviewed-by: Fabio M. Di Nitto <fdinitto>
Reviewed-by: Christine Caulfield <ccaulfie>
Comment 4 Jan Friesse 2017-08-24 07:58:57 UTC 
Created attachment 1317479 [details]
7.4.z-bz1484264-3-totemcrypto-Use-different-method-to-import-key

totemcrypto: Use different method to import key

PK11_ImportSymKey doesn't work when FIPS is enabled because NSS is
targeting to FIPS Level 2 where loading of unencrypted symmetric
key is prohibited.

FIPS Level 2 is hard to achieve without breaking compatibility so patch
implements "workaround" to make NSS behave like FIPS Level 1
(where is allowed to load unencrypted symmetric key).

Workaround is about using temporal key to encrypt corosync authkey in
memory and then to unwrap it into valid NSS key.

Signed-off-by: Jan Friesse <jfriesse>
Reviewed-by: Fabio M. Di Nitto <fdinitto>
Reviewed-by: Christine Caulfield <ccaulfie>
Comment 5 Jan Friesse 2017-08-24 07:59:02 UTC 
Created attachment 1317480 [details]
7.4.z-bz1484264-4-totemcrypto-Fix-compiler-warning

totemcrypto: Fix compiler warning

Signed-off-by: Jan Friesse <jfriesse>
Comment 9 errata-xmlrpc 2017-09-05 11:24:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2570