Overview

File _patchinfo of Package patchinfo.6304

<patchinfo incident="6304">
  <issue id="1055271" tracker="bnc">FIPS: [TRACKERBUG] Mozilla NSS code review changes needed</issue>
  <issue id="1074009" tracker="bnc">Cinder tempest failures in cloud-mkcloud7-job-4nodes-linuxbridge-x86_64</issue>
  <issue id="1049673" tracker="bnc">FIPS: mozilla-nss: implementation of additional algorithms in test harness</issue>
  <issue id="1043853" tracker="bnc">FIPS: mozilla-nss: use getrandom system call for DRBG seeding</issue>
  <category>recommended</category>
  <rating>moderate</rating>
  <packager>hpjansson</packager>
  <description>This update for mozilla-nss provides the following fixes:

- Change DRBG to use the getrandom() kernel interface instead of /dev/urandom (bsc#1043853).
- Add patches for strengthening and FIPS compliance (bsc#1055271, bsc#1049673):
  * Use getrandom() instead of /dev/random and /dev/urandom where available.
  * Remove continuous DRBG test. This is no longer required for FIPS compliance.
  * Add DSA known answer POST.
  * Add ECDSA known answer POST.
  * Use FIPS compliant hash length in pairwise consistency check.
  * Make RSA key generation parameters more strict in order to meet FIPS criteria.
  * Add DH and ECDH known answer POSTs.
  * Add KDF135 CAVS test.
  * Add keywrapping CAVS test.
  * Add KAS FFC CAVS test.
  * Add KAS ECC CAVS test.
  * Restrict number of bytes generated per GCM IV for FIPS compliance.
  * Add helpers required by new CAVS tests.
  * Add fixes to make DSA CAVS tests pass.
  * Add fixes to make RSA CAVS tests pass.
  * Add constructor POSTs.
  * Disable weak ciphers in FIPS mode.
  * Prevent wraparounds in CTR mode.
  * Clear various sensitive parameters from memory when no longer in use.
  * Allow TLS 1.0 PRF to work in FIPS mode, even though it relies on MD5, which is
    otherwise banned.
  * Use strong random pool (/dev/random or getrandom() with GRND_RANDOM instead of their
    more dilute counterparts) in FIPS mode.
- We allow AESNI by default now. This can be disabled at runtime by defining NSS_DISABLE_HW_AES
  in the environment.
- Export NSS_FORCE_FIPS=1 for build, since this is needed now to prevent NSS from passing
  -DNSS_NO_INIT_SUPPORT, which disables on-load FIPS POSTs.
</description>
  <summary>Recommended update for mozilla-nss</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places