RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1549531 - Use of md5 / sha256 from gnulib prevents FIPS compliance
Summary: Use of md5 / sha256 from gnulib prevents FIPS compliance
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Lili Zhu
URL:
Whiteboard:
Depends On:
Blocks: 1549532
TreeView+ depends on / blocked
 
Reported: 2018-02-27 11:44 UTC by Daniel Berrangé
Modified: 2018-10-30 09:54 UTC (History)
6 users (show)

Fixed In Version: libvirt-4.4.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1549532 (view as bug list)
Environment:
Last Closed: 2018-10-30 09:52:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 0 None None None 2018-10-30 09:54:42 UTC

Comment 2 Ján Tomko 2018-05-11 15:51:25 UTC 
Patches proposed upstream:
https://www.redhat.com/archives/libvir-list/2018-May/msg00892.html
Comment 3 Ján Tomko 2018-05-14 12:43:28 UTC 
Fixed upstream as of:
commit 799011bbe7b9fba90c646021b1ff0179a0463596
Author:     Ján Tomko <jtomko>
CommitDate: 2018-05-14 14:05:21 +0200

    vircrypto: Rely on GnuTLS for hash functions
    
    Ditch the use of gnulib's digest functions in favor of GnuTLS,
    which might be more likely to get FIPS-certified.
    
    Signed-off-by: Ján Tomko <jtomko>

git describe: v4.3.0-175-g799011bbe7
Comment 5 Lili Zhu 2018-08-22 07:41:19 UTC 
Check the source codes that call virCryptoHashString and virCryptoHashBuf, verify this bug with:
Libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-11.el7.x86_64

Steps to verify:
For the esx related features, choose the esxNetworkLookupByUUID as an example
Connect to esx server, check the network with its uuid 
# virsh -c esx://esx ip/?no_verify=1
virsh # net-list
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 vSwitch0             active     yes           yes

virsh # net-dumpxml vSwitch0
<network>
  <name>vSwitch0</name>
  <uuid>2f467347-8b4e-8655-e7d6-c4c3fb968009</uuid>
  <forward dev='vmnic0' mode='bridge'>
    <interface dev='vmnic0'/>
    <interface dev='vmnic2'/>
  </forward>
  <portgroup name='VM Network'>
  </portgroup>
</network>

virsh # net-list --uuid
2f467347-8b4e-8655-e7d6-c4c3fb968009
It can be seen that looked up uuid of vSwith0 is the same with that in xml

For the file caching related feature, verification steps are as follows:
2.1 Check the cache file 
# ll /var/cache/libvirt/qemu/capabilities/
total 52
-rw-------. 1 root root 53018 Aug  8 17:19 3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml

2.2 restart libvirtd
# systemctl restart libvirtd

2.3 check the libvirtd log 
2018-08-15 08:39:47.540+0000: 8213: debug : virFileCacheLoad:174 : Loaded cached data '/var/cache/libvirt/qemu/capabilities/3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml' for '/usr/libexec/qemu-kvm'

It can be seen that qemu found and load the cached data in the existing qemu capabilities xml.
Comment 6 Lili Zhu 2018-08-22 07:46:41 UTC 
Hi, Ján

Please have a check whether the verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1549531#c5 are enough to mark the bug as verified. Thanks
Comment 7 Ján Tomko 2018-08-22 11:47:10 UTC 
Yes.

You should also see gnutls_hash_fast being used in the output of:
objdump  -T libvirt.so.0
but I don't think there is a way to see we're no longer using gnulib's implementation without looking at the code, so the fact that we
deleted the gnulib code and hashing still works should be enough.
Comment 8 Lili Zhu 2018-09-17 01:22:41 UTC 
Check the info about libvirt.so.0 with Libvirt-4.5.0-9.el7.x86_64

# objdump  -T /usr/lib64/libvirt.so.0 | grep gnutls_hash_fast
0000000000000000      DF *UND*	0000000000000000  GNUTLS_2_10 gnutls_hash_fast

As the result matches the expected result. Marked the bug as verified
Comment 10 errata-xmlrpc 2018-10-30 09:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113
Note You need to log in before you can comment on or make changes to this bug.