From 3770875adbbbd0f6e60f141464efa2237fb9840a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 5 Jan 2022 16:23:46 -0500
Subject: [PATCH] Set chap algorithms for FIPS if not openeuler

The default CHAP algorithm for iscsid is md5, which is disallowed
under fips.  We will set the chap algorithm to "SHA3-256,SHA256",
which should work under all configurations.

For some reason, setting the CHAPAlgorithms as in c3b705138
breaks OpenEuler.  Making this conditional so that tests continue
to pass.

Change-Id: Iaa740ecfbb9173dd97e90485bad88225caedb523
(cherry picked from commit ac958698d0e29cc0bc4bbad4476fc7bc01ed870d)
---
 lib/nova | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/nova b/lib/nova
index 448c902af6..334eb8a637 100644
--- a/lib/nova
+++ b/lib/nova
@@ -320,6 +320,14 @@ EOF
             sudo systemctl daemon-reload
         fi
 
+        # set chap algorithms.  The default chap_algorithm is md5 which will
+        # not work under FIPS.
+        # FIXME(alee) For some reason, this breaks openeuler.  Openeuler devs should weigh in
+        # and determine the correct solution for openeuler here
+        if ! is_openeuler; then
+            iniset -sudo /etc/iscsi/iscsid.conf DEFAULT "node.session.auth.chap_algs" "SHA3-256,SHA256"
+        fi
+
         # ensure that iscsid is started, even when disabled by default
         restart_service iscsid
     fi