Bug 1484264
Summary: | Corosync hangs on secauth with FIPS enabled [rhel-7.4.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | corosync | Assignee: | Jan Friesse <jfriesse> |
Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.4 | CC: | ccaulfie, cfeist, cluster-maint, igkioka, jfriesse, jruemker, mjuricek, mnovacek, nbarcet, rsteiger |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | corosync-2.4.0-9.el7_4.2 | Doc Type: | Bug Fix |
Doc Text: |
Previously, when the corosync service had encryption enabled and was running in an environment with FIPS kernel mode activated, corosync terminated unexpectedly after starting. A patch has been applied to load a symmetric key that works when FIPS kernel mode is activated, and the described problem no longer occurs.
|
Story Points: | --- |
Clone Of: | 1461450 | Environment: | |
Last Closed: | 2017-09-05 11:24:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1461450 | ||
Bug Blocks: | |||
Attachments: |
Description
Oneata Mircea Teodor
2017-08-23 07:20:18 UTC
Created attachment 1317477 [details] 7.4.z-bz1484264-1-totem-Propagate-totem-initialization-failure totem: Propagate totem initialization failure (backported from master 564b4bf7d4c5b3f632a48610761dce58e5809b3a) Signed-off-by: Jan Friesse <jfriesse> Reviewed-by: Christine Caulfield <ccaulfie> Created attachment 1317478 [details] 7.4.z-bz1484264-2-totemcrypto-Refactor-symmetric-key-importing totemcrypto: Refactor symmetric key importing Signed-off-by: Jan Friesse <jfriesse> Reviewed-by: Fabio M. Di Nitto <fdinitto> Reviewed-by: Christine Caulfield <ccaulfie> Created attachment 1317479 [details] 7.4.z-bz1484264-3-totemcrypto-Use-different-method-to-import-key totemcrypto: Use different method to import key PK11_ImportSymKey doesn't work when FIPS is enabled because NSS is targeting to FIPS Level 2 where loading of unencrypted symmetric key is prohibited. FIPS Level 2 is hard to achieve without breaking compatibility so patch implements "workaround" to make NSS behave like FIPS Level 1 (where is allowed to load unencrypted symmetric key). Workaround is about using temporal key to encrypt corosync authkey in memory and then to unwrap it into valid NSS key. Signed-off-by: Jan Friesse <jfriesse> Reviewed-by: Fabio M. Di Nitto <fdinitto> Reviewed-by: Christine Caulfield <ccaulfie> Created attachment 1317480 [details] 7.4.z-bz1484264-4-totemcrypto-Fix-compiler-warning totemcrypto: Fix compiler warning Signed-off-by: Jan Friesse <jfriesse> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2570 |