Bug 1718074
| Summary: | stop using GHmac | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Colin Walters <walters> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED NOTABUG | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | ||
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-06 20:40:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1630260, 1896162 | ||
|
Description
Colin Walters
2019-06-06 20:13:30 UTC
Specifically https://bugzilla.redhat.com/show_bug.cgi?id=1630260#c24 TL;DR it's possible for 8.1 glib will switch to making usage of g_hmac_*() a fatal error. You need to switch to a FIPS-validated library such as OpenSSL. GHMac is only being used in src/ssh/cockpitsshknownhosts.c. This is only a backwards compat shim for libssh 0.7, i. e. for RHEL 7 builds. This entire file isn't built for RHEL 8:
if !HAVE_SSH_SESSION_HAS_KNOWN_HOSTS_ENTRY
libcockpit_ssh_a_SOURCES += \
src/ssh/cockpitsshknownhosts.h \
src/ssh/cockpitsshknownhosts.c \
$(NULL)
endif
So this isn't an issue for RHEL 8.
As soon as RHEL 7.7 is released, we can stop supporting RHEL 7 in our upstream master branch and then throw out two metric tons of obsolete code, also this one. :-) But this will just affect source code grepping, not runtime behaviour.
|