From c3b7051387d4332f956148c5676383499fa31859 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 6 Aug 2021 14:26:37 -0400
Subject: [PATCH] Add option to set chap algorithms for iscsid for FIPS

The default CHAP algorithm for iscsid is md5, which is disallowed
under fips.  We will set the chap algorithm to "SHA3-256,SHA256",
which should work under all configurations.

Change-Id: Ide186fb53b3f9826ff602cb7fb797f245a15033a
---
 lib/nova | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/nova b/lib/nova
index 5fcccffec1..1420183a19 100644
--- a/lib/nova
+++ b/lib/nova
@@ -315,6 +315,10 @@ EOF
             sudo systemctl daemon-reload
         fi
 
+        # set chap algorithms.  The default chap_algorithm is md5 which will
+        # not work under FIPS
+        iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+
         # ensure that iscsid is started, even when disabled by default
         restart_service iscsid
     fi