Patches proposed upstream:
Fixed upstream as of:
Author: Ján Tomko <firstname.lastname@example.org>
CommitDate: 2018-05-14 14:05:21 +0200
vircrypto: Rely on GnuTLS for hash functions
Ditch the use of gnulib's digest functions in favor of GnuTLS,
which might be more likely to get FIPS-certified.
Signed-off-by: Ján Tomko <email@example.com>
git describe: v4.3.0-175-g799011bbe7
Check the source codes that call virCryptoHashString and virCryptoHashBuf, verify this bug with:
Steps to verify:
For the esx related features, choose the esxNetworkLookupByUUID as an example
Connect to esx server, check the network with its uuid
# virsh -c esx://esx ip/?no_verify=1
virsh # net-list
Name State Autostart Persistent
vSwitch0 active yes yes
virsh # net-dumpxml vSwitch0
<forward dev='vmnic0' mode='bridge'>
<portgroup name='VM Network'>
virsh # net-list --uuid
It can be seen that looked up uuid of vSwith0 is the same with that in xml
For the file caching related feature, verification steps are as follows:
2.1 Check the cache file
# ll /var/cache/libvirt/qemu/capabilities/
-rw-------. 1 root root 53018 Aug 8 17:19 3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml
2.2 restart libvirtd
# systemctl restart libvirtd
2.3 check the libvirtd log
2018-08-15 08:39:47.540+0000: 8213: debug : virFileCacheLoad:174 : Loaded cached data '/var/cache/libvirt/qemu/capabilities/3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml' for '/usr/libexec/qemu-kvm'
It can be seen that qemu found and load the cached data in the existing qemu capabilities xml.
Please have a check whether the verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1549531#c5 are enough to mark the bug as verified. Thanks
You should also see gnutls_hash_fast being used in the output of:
objdump -T libvirt.so.0
but I don't think there is a way to see we're no longer using gnulib's implementation without looking at the code, so the fact that we
deleted the gnulib code and hashing still works should be enough.
Check the info about libvirt.so.0 with Libvirt-4.5.0-9.el7.x86_64
# objdump -T /usr/lib64/libvirt.so.0 | grep gnutls_hash_fast
0000000000000000 DF *UND* 0000000000000000 GNUTLS_2_10 gnutls_hash_fast
As the result matches the expected result. Marked the bug as verified
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.