Bug 1549531 - Use of md5 / sha256 from gnulib prevents FIPS compliance
Summary: Use of md5 / sha256 from gnulib prevents FIPS compliance
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Lili Zhu
URL:
Whiteboard:
Depends On:
Blocks: 1549532
TreeView+ depends on / blocked
 
Reported: 2018-02-27 11:44 UTC by Daniel Berrangé
Modified: 2018-10-30 09:54 UTC (History)
6 users (show)

Fixed In Version: libvirt-4.4.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1549532 (view as bug list)
Environment:
Last Closed: 2018-10-30 09:52:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3113 None None None 2018-10-30 09:54:42 UTC

Comment 2 Ján Tomko 2018-05-11 15:51:25 UTC
Patches proposed upstream:
https://www.redhat.com/archives/libvir-list/2018-May/msg00892.html

Comment 3 Ján Tomko 2018-05-14 12:43:28 UTC
Fixed upstream as of:
commit 799011bbe7b9fba90c646021b1ff0179a0463596
Author:     Ján Tomko <jtomko@redhat.com>
CommitDate: 2018-05-14 14:05:21 +0200

    vircrypto: Rely on GnuTLS for hash functions
    
    Ditch the use of gnulib's digest functions in favor of GnuTLS,
    which might be more likely to get FIPS-certified.
    
    Signed-off-by: Ján Tomko <jtomko@redhat.com>

git describe: v4.3.0-175-g799011bbe7

Comment 5 Lili Zhu 2018-08-22 07:41:19 UTC
Check the source codes that call virCryptoHashString and virCryptoHashBuf, verify this bug with:
Libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-11.el7.x86_64

Steps to verify:
For the esx related features, choose the esxNetworkLookupByUUID as an example
Connect to esx server, check the network with its uuid 
# virsh -c esx://esx ip/?no_verify=1
virsh # net-list
 Name                 State      Autostart     Persistent
----------------------------------------------------------
 vSwitch0             active     yes           yes

virsh # net-dumpxml vSwitch0
<network>
  <name>vSwitch0</name>
  <uuid>2f467347-8b4e-8655-e7d6-c4c3fb968009</uuid>
  <forward dev='vmnic0' mode='bridge'>
    <interface dev='vmnic0'/>
    <interface dev='vmnic2'/>
  </forward>
  <portgroup name='VM Network'>
  </portgroup>
</network>

virsh # net-list --uuid
2f467347-8b4e-8655-e7d6-c4c3fb968009
It can be seen that looked up uuid of vSwith0 is the same with that in xml

For the file caching related feature, verification steps are as follows:
2.1 Check the cache file 
# ll /var/cache/libvirt/qemu/capabilities/
total 52
-rw-------. 1 root root 53018 Aug  8 17:19 3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml

2.2 restart libvirtd
# systemctl restart libvirtd

2.3 check the libvirtd log 
2018-08-15 08:39:47.540+0000: 8213: debug : virFileCacheLoad:174 : Loaded cached data '/var/cache/libvirt/qemu/capabilities/3c76bc41d59c0c7314b1ae8e63f4f765d2cf16abaeea081b3ca1f5d8732f7bb1.xml' for '/usr/libexec/qemu-kvm'

It can be seen that qemu found and load the cached data in the existing qemu capabilities xml.

Comment 6 Lili Zhu 2018-08-22 07:46:41 UTC
Hi, Ján

Please have a check whether the verification steps in https://bugzilla.redhat.com/show_bug.cgi?id=1549531#c5 are enough to mark the bug as verified. Thanks

Comment 7 Ján Tomko 2018-08-22 11:47:10 UTC
Yes.

You should also see gnutls_hash_fast being used in the output of:
objdump  -T libvirt.so.0
but I don't think there is a way to see we're no longer using gnulib's implementation without looking at the code, so the fact that we
deleted the gnulib code and hashing still works should be enough.

Comment 8 Lili Zhu 2018-09-17 01:22:41 UTC
Check the info about libvirt.so.0 with Libvirt-4.5.0-9.el7.x86_64

# objdump  -T /usr/lib64/libvirt.so.0 | grep gnutls_hash_fast
0000000000000000      DF *UND*	0000000000000000  GNUTLS_2_10 gnutls_hash_fast

As the result matches the expected result. Marked the bug as verified

Comment 10 errata-xmlrpc 2018-10-30 09:52:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3113


Note You need to log in before you can comment on or make changes to this bug.