Bug 1110696

Summary: modify gnutls for FIPS-140-2 validation
Product: Red Hat Enterprise Linux 7 Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: arubin, ksrot, lnovich, nmavrogi, szidek, tmraz
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.8-11.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list. Rebase package(s) to version: gnutls-3.3.8-11.el7 Highlights, important fixes, or notable enhancements:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 07:06:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110705, 1117188, 1117782, 1122528, 1165047    
Bug Blocks: 717789, 1110750, 1113520    

Description Nikos Mavrogiannopoulos 2014-06-18 09:30:15 UTC 
Description of problem: In order for gnutls to pass FIPS-140-2 validation modifications on the library design and the algorithms used are needed. These need to be implemented and rebased in RHEL.

A quick list of the needed requirements:
* A set of tests following FIPS140-2-IG for HMAC, ciphers and public key algorithms
* Implement tests on library startup and add a state machine
* Implement an integrity test on runtime on the binary
* Zeroize all cryptographic key material after use
* Implement a DRBG from NIST SP-800/90 which will replace the default RNG in FIPS mode.
* Implement self tests for the DRBG
* Disable algorithms that are not needed in FIPS mode
* Key generation and DH parameter generation based on FIPS recommendations.
Comment 1 Tomas Mraz 2014-06-18 09:35:58 UTC 
To make it clear - we want to rebase gnutls in RHEL-7.1 to gnutls-3.3.x which is fully API/ABI compatible with the current gnutls in RHEL-7.
Comment 7 Tomas Mraz 2014-10-14 14:30:20 UTC 
*** Bug 1152570 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2015-03-05 07:06:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0315.html