Bug 1549531
Summary: | Use of md5 / sha256 from gnulib prevents FIPS compliance | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> | |
Component: | libvirt | Assignee: | Ján Tomko <jtomko> | |
Status: | CLOSED ERRATA | QA Contact: | Lili Zhu <lizhu> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.5 | CC: | dyuan, dzheng, fjin, jdenemar, jtomko, xuzhang | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-4.4.0-1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1549532 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 09:52:39 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1549532 |
Comment 2
Ján Tomko
2018-05-11 15:51:25 UTC
Fixed upstream as of: commit 799011bbe7b9fba90c646021b1ff0179a0463596 Author: Ján Tomko <jtomko> CommitDate: 2018-05-14 14:05:21 +0200 vircrypto: Rely on GnuTLS for hash functions Ditch the use of gnulib's digest functions in favor of GnuTLS, which might be more likely to get FIPS-certified. Signed-off-by: Ján Tomko <jtomko> git describe: v4.3.0-175-g799011bbe7 Check the source codes that call virCryptoHashString and virCryptoHashBuf, verify this bug with: Libvirt-4.5.0-7.el7.x86_64 qemu-kvm-rhev-2.12.0-11.el7.x86_64 Steps to verify: For the esx related features, choose the esxNetworkLookupByUUID as an example Connect to esx server, check the network with its uuid # virsh -c esx://esx ip/?no_verify=1 virsh # net-list Name State Autostart Persistent ---------------------------------------------------------- vSwitch0 active yes yes virsh # net-dumpxml vSwitch0 <network> <name>vSwitch0</name> <uuid>2f467347-8b4e-8655-e7d6-c4c3fb968009</uuid> <forward dev='vmnic0' mode='bridge'> <interface dev='vmnic0'/> <interface dev='vmnic2'/> </forward> <portgroup name='VM Network'> </portgroup> </network> virsh # net-list --uuid 2f467347-8b4e-8655-e7d6-c4c3fb968009 It can be seen that looked up uuid of vSwith0 is the same with that in xml For the file caching related feature, verification steps are as follows: 2.1 Check the cache file # ll /var/cache/libvirt/qemu/capabilities/ total 52 -rw-------. 1 root root 53018 Aug 8 17:19 3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml 2.2 restart libvirtd # systemctl restart libvirtd 2.3 check the libvirtd log 2018-08-15 08:39:47.540+0000: 8213: debug : virFileCacheLoad:174 : Loaded cached data '/var/cache/libvirt/qemu/capabilities/3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml' for '/usr/libexec/qemu-kvm' It can be seen that qemu found and load the cached data in the existing qemu capabilities xml. Hi, Ján Please have a check whether the verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1549531#c5 are enough to mark the bug as verified. Thanks Yes. You should also see gnutls_hash_fast being used in the output of: objdump -T libvirt.so.0 but I don't think there is a way to see we're no longer using gnulib's implementation without looking at the code, so the fact that we deleted the gnulib code and hashing still works should be enough. Check the info about libvirt.so.0 with Libvirt-4.5.0-9.el7.x86_64 # objdump -T /usr/lib64/libvirt.so.0 | grep gnutls_hash_fast 0000000000000000 DF *UND* 0000000000000000 GNUTLS_2_10 gnutls_hash_fast As the result matches the expected result. Marked the bug as verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3113 |