Bug 1549531

Summary: Use of md5 / sha256 from gnulib prevents FIPS compliance
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: libvirtAssignee: Ján Tomko <jtomko>
Status: CLOSED ERRATA QA Contact: Lili Zhu <lizhu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: dyuan, dzheng, fjin, jdenemar, jtomko, xuzhang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-4.4.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1549532 (view as bug list) Environment:
Last Closed: 2018-10-30 09:52:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549532    

Comment 2 Ján Tomko 2018-05-11 15:51:25 UTC
Patches proposed upstream:
https://www.redhat.com/archives/libvir-list/2018-May/msg00892.html

Comment 3 Ján Tomko 2018-05-14 12:43:28 UTC
Fixed upstream as of:
commit 799011bbe7b9fba90c646021b1ff0179a0463596
Author:     Ján Tomko <jtomko>
CommitDate: 2018-05-14 14:05:21 +0200

    vircrypto: Rely on GnuTLS for hash functions
    
    Ditch the use of gnulib's digest functions in favor of GnuTLS,
    which might be more likely to get FIPS-certified.
    
    Signed-off-by: Ján Tomko <jtomko>

git describe: v4.3.0-175-g799011bbe7

Comment 5 Lili Zhu 2018-08-22 07:41:19 UTC
Check the source codes that call virCryptoHashString and virCryptoHashBuf, verify this bug with:
Libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-11.el7.x86_64

Steps to verify:
For the esx related features, choose the esxNetworkLookupByUUID as an example
Connect to esx server, check the network with its uuid 
# virsh -c esx://esx ip/?no_verify=1
virsh # net-list
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 vSwitch0             active     yes           yes

virsh # net-dumpxml vSwitch0
<network>
  <name>vSwitch0</name>
  <uuid>2f467347-8b4e-8655-e7d6-c4c3fb968009</uuid>
  <forward dev='vmnic0' mode='bridge'>
    <interface dev='vmnic0'/>
    <interface dev='vmnic2'/>
  </forward>
  <portgroup name='VM Network'>
  </portgroup>
</network>

virsh # net-list --uuid
2f467347-8b4e-8655-e7d6-c4c3fb968009
It can be seen that looked up uuid of vSwith0 is the same with that in xml

For the file caching related feature, verification steps are as follows:
2.1 Check the cache file 
# ll /var/cache/libvirt/qemu/capabilities/
total 52
-rw-------. 1 root root 53018 Aug  8 17:19 3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml

2.2 restart libvirtd
# systemctl restart libvirtd

2.3 check the libvirtd log 
2018-08-15 08:39:47.540+0000: 8213: debug : virFileCacheLoad:174 : Loaded cached data '/var/cache/libvirt/qemu/capabilities/3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml' for '/usr/libexec/qemu-kvm'

It can be seen that qemu found and load the cached data in the existing qemu capabilities xml.

Comment 6 Lili Zhu 2018-08-22 07:46:41 UTC
Hi, Ján

Please have a check whether the verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1549531#c5 are enough to mark the bug as verified. Thanks

Comment 7 Ján Tomko 2018-08-22 11:47:10 UTC
Yes.

You should also see gnutls_hash_fast being used in the output of:
objdump  -T libvirt.so.0
but I don't think there is a way to see we're no longer using gnulib's implementation without looking at the code, so the fact that we
deleted the gnulib code and hashing still works should be enough.

Comment 8 Lili Zhu 2018-09-17 01:22:41 UTC
Check the info about libvirt.so.0 with Libvirt-4.5.0-9.el7.x86_64

# objdump  -T /usr/lib64/libvirt.so.0 | grep gnutls_hash_fast
0000000000000000      DF *UND*	0000000000000000  GNUTLS_2_10 gnutls_hash_fast

As the result matches the expected result. Marked the bug as verified

Comment 10 errata-xmlrpc 2018-10-30 09:52:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113